Bug 2549

Summary:

[PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication

Product:

Portable OpenSSH

Reporter:

Tomas Kuthan <tomas.kuthan>

Component:

PAM support

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

NEW ---

Severity:

enhancement

Priority:

Version:

7.1p2

Hardware:

SPARC

OS:

Solaris

Attachments:

Description	Flags
Allow PAM conversation for pam_setcred	none

Description Tomas Kuthan 2016-03-08 00:05:08 AEDT

Currently OpenSSH runs pam_setcred with 'fake' conversation function sshpam_store_conv. If some PAM module actually tries to converse for pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR.

But there are/will be real world PAM modules, that actually need to converse for pam_setcred. This bugs asks for making that possible for keyboard-interactive authentication.

Allowing pam_setcred conversation for other user auths (pubkey, password, hostbased, gssapi-with-mic, ...) would be significantly harder, because for other auth there is no support from promts and replies in SSH authentication protocol.

Comment 1 Tomas Kuthan 2016-03-08 00:08:42 AEDT

Created attachment 2797 [details]
Allow PAM conversation for pam_setcred

This patch moves calling pam_setcred to the end of actual PAM authentication, where there still is a real conversation function available.
If pam_setcred was already called, doesn't call it the second time in do_pam_setcred.

Comment 2 Tomas Kuthan 2016-03-08 20:57:25 AEDT

I should have noted the following to the proposed patch above:

Although the patch applies, builds and runs standalone, it has an implicit dependency on fix for #2548. Without that fix, it only makes the issue described in #2548 worse: on top of pam_authenticate, pam_acct_mgmt and pam_chautok it would add pam_setcred too into the separate address space of the auxiliary PAM process. That would cause some substantive implications, such as invalid audit context and damaged audit records.