FW: Additional input (second password) during login
Joe Lewis
joe at joe-lewis.com
Wed Feb 25 21:09:55 UTC 2004
Allow me to make a stab at this. I am thinking that there COULD be two
possibilities.
1) PAM makes a copy of the password provided before supplying it all the
way to the library, and pam_set_item() only modifies the temporary
instance of it (for this specific module).
2) On a set item, it may not be overwriting the password, but just
setting a new entry in an ITEMS table (apache-ish), and that would mean
that the other modules get the original (the first entry in a table)
password, rather than the modified.
The only alternative that you might have to discover what is truly
happening is to look at the pam library source code.
Joe
Redhat.Pam wrote:
> Hi
>
> Since I spot some activity in the forum I try to ask once more... :-)
>
> Happy New Year
> Claus
> _______
>
> Why can't I change the current password (AUTHTOK) using pam_set_item for
> the other auth modules to see ?
> Do I need some pam_setcred magic or... ??
> Are the other modules getting a pam handle to same pam data or do they
> get a handle to a copy of the data ?
>
> mvh
> Claus Bruun
>
>
>
> -----Original Message-----
> From: pam-list-admin at redhat.com [mailto:pam-list-admin at redhat.com] On
> Behalf Of CB Maillist
> Sent: 10. december 2003 12:38
> To: pam-list at redhat.com
> Subject: RE: Additional input (second password) during login
>
>
>
> I implemented it yesterday, but I have problems storing the first part
> of the password for rest of the modules to see. I using the code.
>
>
> retval = pam_get_item(pamh, PAM_AUTHTOK, (const void
> **)&password);
> if (retval != PAM_SUCCESS)
> {
> _pam_log(LOG_ERR, "Could not retrive user's password");
> return -2;
> }
> password2 = strdup(password);
> password3 = strchr(password2,':');
> if (!password3)
> {
> _pam_log(LOG_ERR, "Could not retrive user's password (no
> secureid part found)");
> return -2;
> }
>
> *password3++ = 0;
>
> retval = user_lookup(username, password3);
>
> if retval != 0)
> {
> _pam_log(LOG_ERR, "Could not verify user");
> return -2;
> }
>
> /* Otherwise, the authentication looked good */
>
> _pam_log(LOG_NOTICE, "user '%s' granted acces from host %s
> (%s)(%s)", username,rhost,password2,password3?password3:"-");
>
> retval = pam_set_item(pamh,PAM_AUTHTOK,password2);
> if (retval != PAM_SUCCESS)
> {
> _pam_log(LOG_ERR, "Could not set password %1",retval);
> return -2;
> }
> return PAM_SUCCESS;
>
>
> Even though the set_item returns OK set password is not set.
> When I read AUTHTOK in the next module its still the original twopart
> password...
>
> Any ideas ?
>
>
> mvh
> Claus Bruun
>
>
>
> -----Original Message-----
> From: pam-list-admin at redhat.com [mailto:pam-list-admin at redhat.com] On
> Behalf Of Tobias Schaefer
> Sent: 9. december 2003 11:46
> To: pam-list at redhat.com
> Subject: RE: Additional input (second password) during login
>
>
> Hi Lucas,
>
>
>>I figured this out already. But as I understand PAM puts the
>>credentials in a store for all modules to read from. Where should I do
>
>
>>the input of the second password - in my own module ?
>
>
> if you think about local authentication (instead of ssh/sshd) you would
> use the communication function to provide a second password prompt to
> the user and get his response. I did this some time ago for an AFS
> authentication module.
>
>
>>I considered something like
>>
>>1. inputting the combined password <normalpw><onetimepw> to the login
>>promt 2. let my onetime password routing kick in first and if remote
>>is on an external net verifying <onetimepw>.
>> If ok modify the stored pw by stripping of the onetime part 3. let
>>the normal auth verify the rest.
>
>
> That should work. A problem might be a length restriction on the
> password in the communication between ssh and sshd. I don't know what a
> safe length would be.
>
>
> Tobias
More information about the Pam-list
mailing list