[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OATH-Toolkit-help] pam_oath and openssh

From: Fanis Dokianakis
Subject: [OATH-Toolkit-help] pam_oath and openssh
Date: Mon, 25 Apr 2011 12:49:43 +0300
User-agent: KMail/1.13.6 (Linux/2.6.38-matrix; KDE/4.6.1; x86_64; ; )

Hello to all,

It seems that pam-oath cannot be used out of the box for ssh logins, since I 
always get the following error after successfull authentication:
fatal: PAM: pam_setcred(): Authentication service cannot retrieve user 

I've used versions 1.4.6 (debian package) and 1.6.2 and I located the problem 
with the pam_sm_setcred() function in pam_oath/pam_oath.c. The openssh server 
probably does not use the same process for pam_sm_authenticate and 
pam_sm_setcred, so it is possible that you cannot check for the return value 
of authentication from within the pam_sm_setcred().

I searched the list archives and some guy in January also mentioned this, so I 
solved this with always returning PAM_SUCCESS from the function. But I do not 
know anything about pam to be certain if this is not a security hole or if it 
does not cripples functionality (kerberors tickets etc).

Thank you,

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]