OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Additional input (second password) during login

From: CB Maillist (cbmaillistarchie.dk)
Date: Thu Dec 11 2003 - 01:54:34 CST


Come on - someone must know :-)))

Why can't I change the current password (AUTHTOK) using pam_set_item for
the other auth modules to see ?
Do I need some pam_setcred magic or... ??
Are the other modules getting a pam handle to same pam data or do they
get a handle to a copy of the data ?

mvh
Claus Bruun
 

-----Original Message-----
From: pam-list-adminredhat.com [mailto:pam-list-adminredhat.com] On
Behalf Of CB Maillist
Sent: 10. december 2003 12:38
To: pam-listredhat.com
Subject: RE: Additional input (second password) during login

I implemented it yesterday, but I have problems storing the first part
of the password for rest of the modules to see. I using the code.

        retval = pam_get_item(pamh, PAM_AUTHTOK, (const void
**)&password);
        if (retval != PAM_SUCCESS)
        {
                _pam_log(LOG_ERR, "Could not retrive user's password");
                return -2;
        }
    password2 = strdup(password);
    password3 = strchr(password2,':');
        if (!password3)
        {
                _pam_log(LOG_ERR, "Could not retrive user's password (no
secureid part found)");
                return -2;
        }

    *password3++ = 0;

        retval = user_lookup(username, password3);

        if retval != 0)
        {
                _pam_log(LOG_ERR, "Could not verify user");
                return -2;
        }

        /* Otherwise, the authentication looked good */

        _pam_log(LOG_NOTICE, "user '%s' granted acces from host %s
(%s)(%s)", username,rhost,password2,password3?password3:"-");
            
      retval = pam_set_item(pamh,PAM_AUTHTOK,password2);
      if (retval != PAM_SUCCESS)
      {
         _pam_log(LOG_ERR, "Could not set password %1",retval);
         return -2;
      }
        return PAM_SUCCESS;

                        
Even though the set_item returns OK set password is not set.
When I read AUTHTOK in the next module its still the original twopart
password...

Any ideas ?

mvh
Claus Bruun
 

-----Original Message-----
From: pam-list-adminredhat.com [mailto:pam-list-adminredhat.com] On
Behalf Of Tobias Schaefer
Sent: 9. december 2003 11:46
To: pam-listredhat.com
Subject: RE: Additional input (second password) during login

Hi Lucas,

> I figured this out already. But as I understand PAM puts the
> credentials in a store for all modules to read from. Where should I do

> the input of the second password - in my own module ?

if you think about local authentication (instead of ssh/sshd) you would
use the communication function to provide a second password prompt to
the user and get his response. I did this some time ago for an AFS
authentication module.

>
> I considered something like
>
> 1. inputting the combined password <normalpw><onetimepw> to the login
> promt 2. let my onetime password routing kick in first and if remote
> is on an external net verifying <onetimepw>.
> If ok modify the stored pw by stripping of the onetime part
> 3. let the normal auth verify the rest.

That should work. A problem might be a length restriction on the
password in the communication between ssh and sshd. I don't know what a
safe length would be.

Tobias
--

  Tobias Schaefer Phone 07071-9457-0
  science + computing ag FAX 07071-9457-27
  Hagellocher Weg 71-75
  D-72070 Tuebingen Email: T.Schaeferscience-computing.de
        WWW: http://www.science-computing.de/

_______________________________________________
Pam-list mailing list
Pam-listredhat.com https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-listredhat.com https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list