Re: Interacting with PAM issues

In reply to: Mikhail Zakharov : "Interacting with PAM issues"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Jesper Schmitz Mouridsen <jsm_at_FreeBSD.org>
Date: Tue, 25 Apr 2023 18:01:57 UTC

On 25.04.2023 19.26, Mikhail Zakharov wrote:
> Hi,
> 
> I'm trying to write a custom PAM conversation function and perform 
> authentication (re-check password) for my already logged in user. Below 
> is the function:
> 
> int pam_conv(int n, const struct pam_message **msg, struct pam_response 
> **resp,  void *data) {
> 
>      struct pam_response *pr;
>      int i;
> 
> 
>      if (n <= 0 || n > PAM_MAX_NUM_MSG) return PAM_CONV_ERR;
>      if ((pr = calloc(n, sizeof(*pr))) == NULL) return PAM_BUF_ERR;
> 
>      for (i = 0; i < n; i++) {
>          pr[i].resp = NULL;
>          pr[i].resp_retcode = 0;
>          switch (msg[i]->msg_style) {
>              case PAM_PROMPT_ECHO_OFF:
>              case PAM_PROMPT_ECHO_ON:
>                  pr[i].resp = strdup(passwd);
>                  break;
>              case PAM_ERROR_MSG:             /* Do we need this? */
>              case PAM_TEXT_INFO:
>                  fprintf(stderr, "\n\r%s\n", msg[i]->msg);
>                  break;
>              default:
>                  /* Clear possible passwords in responces; then free 
> memory */
>                      for (i = 0; i < n; i++)
>                          if (pr[i].resp) {
>                              memset(pr[i].resp, 0, strlen(pr[i].resp));
>                              free(pr[i].resp);
>                          }
>                  free(pr);
>                  *resp = NULL;
>                  return PAM_CONV_ERR;
>          }
>      }
>      *resp = pr;
>      return PAM_SUCCESS;
> }
> 
> And that's how I call it:
> 
> int pam_auth(char *user) {
>      static pam_handle_t *pamh;
>      static struct pam_conv pamc;
>      int rval;
>      char *tty_name;
> 
> 
>      pamc.conv = &pam_conv;
>      /* Pretend we want login service */
>      rval = pam_start("login", user, &pamc, &pamh);
>      tty_name = ttyname(STDIN_FILENO);
>      if (rval == PAM_SUCCESS) rval = pam_set_item(pamh, PAM_TTY, tty_name);
>      if (rval == PAM_SUCCESS) rval = pam_authenticate(pamh, 0);
>      if (pam_end(pamh, rval) != PAM_SUCCESS) pamh = NULL;
> 
>      return rval == PAM_SUCCESS ? 0 : 1;
> }
> 
> Well, PAM login, allows to login as the same user without checking a 
> password:
> 
> # auth
> auth            sufficient      pam_self.so             no_warn
> auth            include         system
> 
> When trying other services e.g. "system", "ssh", "other" 
> pam_authenticate() return Authentication error, PAM error 9.
> 
> What do I do wrong? Surprisingly, I do not see the same issue on Mac and 
> Centos.
> 
> Best, Mikhail Zakharov
> 
> 
Hi
Do you run it as root?