[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] pam_oath and openssh

From: Simon Josefsson
Subject: Re: [OATH-Toolkit-help] pam_oath and openssh
Date: Mon, 25 Apr 2011 20:49:23 +0200
User-agent: Gnus/5.110016 (No Gnus v0.16) Emacs/23.2 (gnu/linux)

Fanis Dokianakis <address@hidden> writes:

> Hello to all,
> It seems that pam-oath cannot be used out of the box for ssh logins, since I 
> always get the following error after successfull authentication:
> fatal: PAM: pam_setcred(): Authentication service cannot retrieve user 
> credentials
> I've used versions 1.4.6 (debian package) and 1.6.2 and I located the problem 
> with the pam_sm_setcred() function in pam_oath/pam_oath.c. The openssh server 
> probably does not use the same process for pam_sm_authenticate and 
> pam_sm_setcred, so it is possible that you cannot check for the return value 
> of authentication from within the pam_sm_setcred().
> I searched the list archives and some guy in January also mentioned this, so 
> I 
> solved this with always returning PAM_SUCCESS from the function. But I do not 
> know anything about pam to be certain if this is not a security hole or if it 
> does not cripples functionality (kerberors tickets etc).

Hi!  Welcome to the list.  Thanks for tracking down this.  I chased down
the same bug a month or so ago for a different PAM module so I am
familiar with the problem.  My conclusion then, and now, is that the
setcred function is not relevant for what we are doing, so it could just
as well be removed -- I'm releasing 1.6.3 with that ASAP and I'll let
you confirm that it is solved.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]