[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] pam_oath and pam_unix' try_first_pass

From: Christian Hesse
Subject: Re: [OATH-Toolkit-help] pam_oath and pam_unix' try_first_pass
Date: Thu, 31 May 2012 01:38:25 +0200

Christian Hesse <address@hidden> on Wed, 2012/05/09 11:55:
> Hello everybody,
> This is from man pam_unix:
> > try_first_pass
> >            Before prompting the user for their password, the module first
> > tries the previous stacked module's password in case that satisfies this
> > module as well.
> I think pam_oath has a similar option.
> So I tested with these in my pam configuration:
> auth sufficient pam_unix.so
> -auth required pam_oath.so usersfile=/etc/users.oath digits=6 try_first_pass
> and
> -auth sufficient pam_oath.so usersfile=/etc/users.oath digits=6
> auth required pam_unix.so try_first_pass
> My understanding is that I get one prompt that accepts unix and oath
> password. But obviously this does not work, authentication fails for the
> line containing try_first_pass.
> Anything I misunderstood? How is this expected to work?

I did some debugging... Looks like pam_get_item() at line 161 writes a memory
address to password that is not guaranteed to persist. The memory is
overwritten or cleared in pam_set_item() at line 275, thus the following
strncpy() does not copy anything useful.

The attached patch fixes it for me, though I am not sure this is a 'clean'
main(a,b){char*/*    Schoene Gruesse                         */c="B?IJj;M"
"EHCX:;";for(a/*    Chris           get my mail address:    */=0;b=c[a++];)
putchar(b-1/(/*               gcc -o sig sig.c && ./sig    */b/42*2-3)*42);}

Attachment: oath.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]