FW: Additional input (second password) during login

Wed Feb 25 21:09:55 UTC 2004

Allow me to make a stab at this.  I am thinking that there COULD be two 
possibilities.

1) PAM makes a copy of the password provided before supplying it all the 
way to the library, and pam_set_item() only modifies the temporary 
instance of it (for this specific module).

2) On a set item, it may not be overwriting the password, but just 
setting a new entry in an ITEMS table (apache-ish), and that would mean 
that the other modules get the original (the first entry in a table) 
password, rather than the modified.

The only alternative that you might have to discover what is truly 
happening is to look at the pam library source code.

Joe

Redhat.Pam wrote:
> Hi
> 
> Since I spot some activity in the forum I try to ask once more... :-)
> 
> Happy New Year 
> Claus
> _______
> 
> Why can't I change the current password (AUTHTOK) using pam_set_item for
> the other auth modules to see ? 
> Do I need some pam_setcred magic or... ??
> Are the other modules getting a pam handle to same pam data or do they
> get a handle to a copy of the data ?
> 
> mvh
> Claus Bruun
>  
> 
> 
> -----Original Message-----
> From: pam-list-admin at redhat.com [mailto:pam-list-admin at redhat.com] On
> Behalf Of CB Maillist
> Sent: 10. december 2003 12:38
> To: pam-list at redhat.com
> Subject: RE: Additional input (second password) during login
> 
> 
> 
> I implemented it yesterday, but I have problems storing the first part
> of the password for rest of the modules to see. I using the code.
> 
> 
> 	retval = pam_get_item(pamh, PAM_AUTHTOK, (const void
> **)&password);
> 	if (retval != PAM_SUCCESS)
> 	{
> 		_pam_log(LOG_ERR, "Could not retrive user's password");
> 		return -2;
> 	}
>     password2 = strdup(password);
>     password3 = strchr(password2,':');
> 	if (!password3)
> 	{
> 		_pam_log(LOG_ERR, "Could not retrive user's password (no
> secureid part found)");
> 		return -2;
> 	}
> 
>     *password3++ = 0;
> 
> 	retval = user_lookup(username, password3);
> 
> 	if retval != 0)
> 	{
> 		_pam_log(LOG_ERR, "Could not verify user");
> 		return -2;
> 	}
> 
> 	/* Otherwise, the authentication looked good */
> 
> 	_pam_log(LOG_NOTICE, "user '%s' granted acces from host %s
> (%s)(%s)", username,rhost,password2,password3?password3:"-");
>             
>       retval = pam_set_item(pamh,PAM_AUTHTOK,password2);
>       if (retval != PAM_SUCCESS)
>       {
>          _pam_log(LOG_ERR, "Could not set password %1",retval);
>          return -2;
>       }
> 	return PAM_SUCCESS;
> 
> 			
> Even though the set_item returns OK set password is not set. 
> When I read AUTHTOK in the next module its still the original twopart
> password...
> 
> Any ideas ?
> 
> 
> mvh
> Claus Bruun
>  
> 
> 
> -----Original Message-----
> From: pam-list-admin at redhat.com [mailto:pam-list-admin at redhat.com] On
> Behalf Of Tobias Schaefer
> Sent: 9. december 2003 11:46
> To: pam-list at redhat.com
> Subject: RE: Additional input (second password) during login
> 
> 
> Hi Lucas,
> 
> 
>>I figured this out already. But as I understand PAM puts the
>>credentials in a store for all modules to read from. Where should I do
> 
> 
>>the input of the second password - in my own module ?
> 
> 
> if you think about local authentication (instead of ssh/sshd) you would
> use the communication function to provide a second password prompt to
> the user and get his response. I did this some time ago for an AFS
> authentication module.
> 
> 
>>I considered something like
>>
>>1. inputting the combined password <normalpw><onetimepw> to the login
>>promt 2. let my onetime password routing kick in first and if remote 
>>is on an external net verifying <onetimepw>.
>>   If ok modify the stored pw by stripping of the onetime part 3. let 
>>the normal auth verify the rest.
> 
> 
> That should work. A problem might be a length restriction on the
> password in the communication between ssh and sshd. I don't know what a
> safe length would be.
> 
> 
> Tobias