[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Use of "[success=ok ...]" form



Andrew Morgan <morgan@transmeta.com> writes:
> > >                                         I'd *love* 
> > > to see the SysAdmin manual include the complex forms 
> > > for all four simple forms so I won't have to go code-diving 
> > > next time.
> Please file a bug report:

Done.

> > > Second problem - coding exactly that results in different 
> behavior from "optional".
> > > Specifically, when my test-module returns 
> PAM_SERVICE_ERR, later modules
> > > in the stack aren't executed with the complex form, but 
> are with the simple form.
> 
> Mmm. This may well be a bug. Could you offer an explicit example
> configuration that fails for you and I'll see if I can get to 
> the bottom
> of this?

Here's an example, thinned down to the bare minimum, with excerpts
from the syslog for a login-attempt under each one.  In both cases,
the userid and password were the same and correct according to /etc/passwd 
and /etc/shadow.  I'm using two very small PAM modules, one for 
debugging (pam_dump_info.so) and one for this demonstration (pam_rc.so).  
The former just blasts the contents of the pam_handle structure out to
syslog(), the latter exits with the return code specified as it's
parameter ("3" is PAM_SERVICE_ERR, "0" is PAM_SUCCESS).  As far as I
can tell, they should behave identically, yet they do not.  I got the
supposedly-correct [...] form from 

This case works as expected - the user can log in:

# cat /etc/pam.d/login
#%PAM-1.0
auth      required      /lib/security/pam_dump_info.so before
auth     optional      /lib/security/pam_rc.so 3 0
#auth  [success=ok new_authtok_reqd=ok default=ignore] \
#                      /lib/security/pam_rc.so 3 0
auth     requisite     /lib/security/pam_unix.so       nullok #set_secrpc
auth      required      /lib/security/pam_dump_info.so after

# tail -f /var/log/messages
Mar 12 15:20:40 linux008 in.telnetd[14371]: connect from ross@138.42.29.80 (138.42.29.80)
Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->oldauthtok = "(null)"
Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->service_name = "login"
Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->user = "(null)"
Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->rhost = "patro07-l.ca.com"
Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->ruser = "(null)"
Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->tty = "/dev/pts/2"
Mar 12 15:20:41 linux008 login: pam_rc.c: pam_sm_authenticate: returning 3
Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->oldauthtok = "(null)"
Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->service_name = "login"
Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->user = "ross"
Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->rhost = "patro07-l.ca.com"
Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->ruser = "(null)"
Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->tty = "/dev/pts/2"
Mar 12 15:20:44 linux008 PAM-warn[14372]: service: login [on terminal: /dev/pts/2]
Mar 12 15:20:44 linux008 PAM-warn[14372]: user: (uid=0) -> ross [remote: ?nobody@patro07-l.ca.com]
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->oldauthtok = "(null)"
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->service_name = "login"
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->user = "ross"
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->rhost = "patro07-l.ca.com"
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->ruser = "(null)"
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->tty = "/dev/pts/2"
Mar 12 15:20:44 linux008 login[14372]: pam_rc.c: pam_sm_setcred: returning 0
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->oldauthtok = "(null)"
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->service_name = "login"
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->user = "ross"
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->rhost = "patro07-l.ca.com"
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->ruser = "(null)"
Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->tty = "/dev/pts/2"
Mar 12 15:20:44 linux008 PAM-warn[14372]: service: login [on terminal: /dev/pts/2]
Mar 12 15:20:44 linux008 PAM-warn[14372]: user: (uid=0) -> ross [remote: ?nobody@patro07-l.ca.com]
Mar 12 15:20:44 linux008 PAM-unix2[14372]: session started for user ross, service login 
Mar 12 15:20:47 linux008 PAM-warn[14372]: service: login [on terminal: /dev/pts/2]
Mar 12 15:20:47 linux008 PAM-warn[14372]: user: (uid=0) -> ross [remote: ?nobody@patro07-l.ca.com]
Mar 12 15:20:47 linux008 PAM-unix2[14372]: session finished for user ross, service login 

This case does not work as expected - the user cannot log in:

# cat /etc/pam.d/login
#%PAM-1.0
auth      required      /lib/security/pam_dump_info.so before
#auth    optional      /lib/security/pam_rc.so 3 0
auth   [success=ok new_authtok_reqd=ok default=ignore] \
                       /lib/security/pam_rc.so 3 0
auth     requisite     /lib/security/pam_unix.so       nullok #set_secrpc
auth      required      /lib/security/pam_dump_info.so after

# tail -f /var/log/messages
Mar 12 15:21:17 linux008 in.telnetd[14386]: connect from ross@138.42.29.80 (138.42.29.80)
Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->oldauthtok = "(null)"
Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->service_name = "login"
Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->user = "(null)"
Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->rhost = "patro07-l.ca.com"
Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->ruser = "(null)"
Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->tty = "/dev/pts/2"
Mar 12 15:21:18 linux008 login: pam_rc.c: pam_sm_authenticate: returning 3
Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->oldauthtok = "(null)"
Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->service_name = "login"
Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->user = "ross"
Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->rhost = "patro07-l.ca.com"
Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->ruser = "(null)"
Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->tty = "/dev/pts/2"
Mar 12 15:21:21 linux008 login: FAILED LOGIN SESSION FROM patro07-l.ca.com FOR ross, Error in service module

> > > What gives?  Anybody understand this stuff?
> 
> Well, I thought I did.

I thought I did too :-)

Ross Patterson
Computer Associates





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []