[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Use of "[success=ok ...]" form



Ross,

Could you supply more information?

The pam.d/login file you supply makes no reference to pam_warn, but I
see entries for this in the log. I'm guessing that they are from your
'other' file, but I'd like to know what it contains..

"Patterson, Ross" wrote:
> auth     optional      /lib/security/pam_rc.so 3 0

And then you explain:

> syslog(), the latter exits with the return code specified as it's
> parameter ("3" is PAM_SERVICE_ERR, "0" is PAM_SUCCESS).  As far as I
> can tell, they should behave identically, yet they do not.  I got the
> supposedly-correct [...] form from

But this doesn't explain the 3 _and_ the 0 in the above argument list.
If there had been one argument, I think I would understand, but there
isn't.

I should say that I have tried to reproduce your problem with pam_debug
and pam_warn against top of trunk CVS and have not had any luck. That
is, both flavors of control description work identically for me. Are you
sure that your pam_rc.so module works as you have described it?

Thanks

Andrew

"Patterson, Ross" wrote:
> 
> Andrew Morgan <morgan@transmeta.com> writes:
> > > >                                         I'd *love*
> > > > to see the SysAdmin manual include the complex forms
> > > > for all four simple forms so I won't have to go code-diving
> > > > next time.
> > Please file a bug report:
> 
> Done.
> 
> > > > Second problem - coding exactly that results in different
> > behavior from "optional".
> > > > Specifically, when my test-module returns
> > PAM_SERVICE_ERR, later modules
> > > > in the stack aren't executed with the complex form, but
> > are with the simple form.
> >
> > Mmm. This may well be a bug. Could you offer an explicit example
> > configuration that fails for you and I'll see if I can get to
> > the bottom
> > of this?
> 
> Here's an example, thinned down to the bare minimum, with excerpts
> from the syslog for a login-attempt under each one.  In both cases,
> the userid and password were the same and correct according to /etc/passwd
> and /etc/shadow.  I'm using two very small PAM modules, one for
> debugging (pam_dump_info.so) and one for this demonstration (pam_rc.so).
> The former just blasts the contents of the pam_handle structure out to
> syslog(), the latter exits with the return code specified as it's
> parameter ("3" is PAM_SERVICE_ERR, "0" is PAM_SUCCESS).  As far as I
> can tell, they should behave identically, yet they do not.  I got the
> supposedly-correct [...] form from
> 
> This case works as expected - the user can log in:
> 
> # cat /etc/pam.d/login
> #%PAM-1.0
> auth      required      /lib/security/pam_dump_info.so before
> auth     optional      /lib/security/pam_rc.so 3 0
> #auth  [success=ok new_authtok_reqd=ok default=ignore] \
> #                      /lib/security/pam_rc.so 3 0
> auth     requisite     /lib/security/pam_unix.so       nullok #set_secrpc
> auth      required      /lib/security/pam_dump_info.so after
> 
> # tail -f /var/log/messages
> Mar 12 15:20:40 linux008 in.telnetd[14371]: connect from ross@138.42.29.80 (138.42.29.80)
> Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->oldauthtok = "(null)"
> Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->service_name = "login"
> Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->user = "(null)"
> Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->rhost = "patro07-l.ca.com"
> Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->ruser = "(null)"
> Mar 12 15:20:41 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->tty = "/dev/pts/2"
> Mar 12 15:20:41 linux008 login: pam_rc.c: pam_sm_authenticate: returning 3
> Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->oldauthtok = "(null)"
> Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->service_name = "login"
> Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->user = "ross"
> Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->rhost = "patro07-l.ca.com"
> Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->ruser = "(null)"
> Mar 12 15:20:44 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->tty = "/dev/pts/2"
> Mar 12 15:20:44 linux008 PAM-warn[14372]: service: login [on terminal: /dev/pts/2]
> Mar 12 15:20:44 linux008 PAM-warn[14372]: user: (uid=0) -> ross [remote: ?nobody@patro07-l.ca.com]
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->oldauthtok = "(null)"
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->service_name = "login"
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->user = "ross"
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->rhost = "patro07-l.ca.com"
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->ruser = "(null)"
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: before pamh->tty = "/dev/pts/2"
> Mar 12 15:20:44 linux008 login[14372]: pam_rc.c: pam_sm_setcred: returning 0
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->oldauthtok = "(null)"
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->service_name = "login"
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->user = "ross"
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->rhost = "patro07-l.ca.com"
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->ruser = "(null)"
> Mar 12 15:20:44 linux008 login[14372]: pam_dump_info.c: pam_sm_setcred: after pamh->tty = "/dev/pts/2"
> Mar 12 15:20:44 linux008 PAM-warn[14372]: service: login [on terminal: /dev/pts/2]
> Mar 12 15:20:44 linux008 PAM-warn[14372]: user: (uid=0) -> ross [remote: ?nobody@patro07-l.ca.com]
> Mar 12 15:20:44 linux008 PAM-unix2[14372]: session started for user ross, service login
> Mar 12 15:20:47 linux008 PAM-warn[14372]: service: login [on terminal: /dev/pts/2]
> Mar 12 15:20:47 linux008 PAM-warn[14372]: user: (uid=0) -> ross [remote: ?nobody@patro07-l.ca.com]
> Mar 12 15:20:47 linux008 PAM-unix2[14372]: session finished for user ross, service login
> 
> This case does not work as expected - the user cannot log in:
> 
> # cat /etc/pam.d/login
> #%PAM-1.0
> auth      required      /lib/security/pam_dump_info.so before
> #auth    optional      /lib/security/pam_rc.so 3 0
> auth   [success=ok new_authtok_reqd=ok default=ignore] \
>                        /lib/security/pam_rc.so 3 0
> auth     requisite     /lib/security/pam_unix.so       nullok #set_secrpc
> auth      required      /lib/security/pam_dump_info.so after
> 
> # tail -f /var/log/messages
> Mar 12 15:21:17 linux008 in.telnetd[14386]: connect from ross@138.42.29.80 (138.42.29.80)
> Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->oldauthtok = "(null)"
> Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->service_name = "login"
> Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->user = "(null)"
> Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->rhost = "patro07-l.ca.com"
> Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->ruser = "(null)"
> Mar 12 15:21:18 linux008 login: pam_dump_info.c: pam_sm_authenticate: before pamh->tty = "/dev/pts/2"
> Mar 12 15:21:18 linux008 login: pam_rc.c: pam_sm_authenticate: returning 3
> Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->oldauthtok = "(null)"
> Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->service_name = "login"
> Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->user = "ross"
> Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->rhost = "patro07-l.ca.com"
> Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->ruser = "(null)"
> Mar 12 15:21:21 linux008 login: pam_dump_info.c: pam_sm_authenticate: after pamh->tty = "/dev/pts/2"
> Mar 12 15:21:21 linux008 login: FAILED LOGIN SESSION FROM patro07-l.ca.com FOR ross, Error in service module
> 
> > > > What gives?  Anybody understand this stuff?
> >
> > Well, I thought I did.
> 
> I thought I did too :-)
> 
> Ross Patterson
> Computer Associates
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []