Bug 126985

Summary: PAM does not use new conversation function after pam_set_item(.., PAM_CONV, ..)
Product: [Fedora] Fedora Reporter: Darren Tucker <dtucker>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 2   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
URL: http://www.zip.com.au/~dtucker/openssh/wrong-conv-function.c
Whiteboard:
Fixed In Version: pam-0.77-61 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-27 03:18:40 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
wrong-conv-function.c: testcase for PAM conversation change bug none

Description Darren Tucker 2004-06-30 00:12:36 EDT
Description of problem:
PAM does not use the new conversation function after
pam_set_item(pamh, PAM_CONV, &newconv) even though pam_set_item
returns a success.

This is demonstrated by the testcase (which I'll also attach if I can).

This, BTW, is probably the reason that OpenSSH's sshd gets
"authentication token manipulation" errors when trying to change
expired passwords) on Redhat and Fedora in some cases (more so with
older sshd's but still possible with current versions).

Version-Release number of selected component (if applicable):
pam-0.77-40

How reproducible:
Always

Steps to Reproduce:
1. Compile testcase
2. Run ./a.out
3. Note that myconv1 is called instead of myconv2.

Actual Results:
$ gcc wrong-conv-function.c -lpam
$ sudo ./a.out
pam_start result 0 (Success)
pam_authenticate conversation my_conv1 called
pam_authenticate result 3 (Error in service module)
pam_set_item result 0 (Success)
pam_chauthtok conversation my_conv1 called
pam_chauthtok conversation my_conv1 called
pam_chauthtok conversation my_conv1 called
pam_chauthtok result 19 (Conversation error)
ERROR: wrong conversation function called by PAM

Expected Results:
(This is on Solaris 8, which works OK: see that for pam_chauthtok
myconv2 is called.)
$ gcc wrong-conv-function.c -lpam
$ sudo ./a.out
pam_start result 0 (Success)
pam_authenticate conversation my_conv1 called
pam_authenticate result 6 (Conversation failure)
pam_set_item result 0 (Success)
pam_chauthtok conversation my_conv2 called
pam_chauthtok result 6 (Conversation failure)
Test passed OK

Additional info:

Also mention on the PAM mailing list (no response).
https://listman.redhat.com/archives/pam-list/2004-June/msg00027.html
Comment 1 Darren Tucker 2004-06-30 00:14:12 EDT
Created attachment 101528 [details]
wrong-conv-function.c: testcase for PAM conversation change bug