[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] pam_oath and openssh
|
From: |
Simon Josefsson |
|
Subject: |
Re: [OATH-Toolkit-help] pam_oath and openssh |
|
Date: |
Mon, 25 Apr 2011 20:49:23 +0200 |
|
User-agent: |
Gnus/5.110016 (No Gnus v0.16) Emacs/23.2 (gnu/linux) |
Fanis Dokianakis <address@hidden> writes:
> Hello to all,
>
> It seems that pam-oath cannot be used out of the box for ssh logins, since I
> always get the following error after successfull authentication:
> fatal: PAM: pam_setcred(): Authentication service cannot retrieve user
> credentials
>
> I've used versions 1.4.6 (debian package) and 1.6.2 and I located the problem
> with the pam_sm_setcred() function in pam_oath/pam_oath.c. The openssh server
> probably does not use the same process for pam_sm_authenticate and
> pam_sm_setcred, so it is possible that you cannot check for the return value
> of authentication from within the pam_sm_setcred().
>
> I searched the list archives and some guy in January also mentioned this, so
> I
> solved this with always returning PAM_SUCCESS from the function. But I do not
> know anything about pam to be certain if this is not a security hole or if it
> does not cripples functionality (kerberors tickets etc).
Hi! Welcome to the list. Thanks for tracking down this. I chased down
the same bug a month or so ago for a different PAM module so I am
familiar with the problem. My conclusion then, and now, is that the
setcred function is not relevant for what we are doing, so it could just
as well be removed -- I'm releasing 1.6.3 with that ASAP and I'll let
you confirm that it is solved.
Cheers,
/Simon