Bug 126985 - PAM does not use new conversation function after pam_set_item(.., PAM_CONV, ..)
Summary: PAM does not use new conversation function after pam_set_item(.., PAM_CONV, ..)
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: pam   
(Show other bugs)
Version: 2
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
URL: http://www.zip.com.au/~dtucker/openss...
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-06-30 04:12 UTC by Darren Tucker
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version: pam-0.77-61
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-27 07:18:40 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
wrong-conv-function.c: testcase for PAM conversation change bug (1.62 KB, text/plain)
2004-06-30 04:14 UTC, Darren Tucker
no flags Details

Description Darren Tucker 2004-06-30 04:12:36 UTC
Description of problem:
PAM does not use the new conversation function after
pam_set_item(pamh, PAM_CONV, &newconv) even though pam_set_item
returns a success.

This is demonstrated by the testcase (which I'll also attach if I can).

This, BTW, is probably the reason that OpenSSH's sshd gets
"authentication token manipulation" errors when trying to change
expired passwords) on Redhat and Fedora in some cases (more so with
older sshd's but still possible with current versions).

Version-Release number of selected component (if applicable):
pam-0.77-40

How reproducible:
Always

Steps to Reproduce:
1. Compile testcase
2. Run ./a.out
3. Note that myconv1 is called instead of myconv2.

Actual Results:
$ gcc wrong-conv-function.c -lpam
$ sudo ./a.out
pam_start result 0 (Success)
pam_authenticate conversation my_conv1 called
pam_authenticate result 3 (Error in service module)
pam_set_item result 0 (Success)
pam_chauthtok conversation my_conv1 called
pam_chauthtok conversation my_conv1 called
pam_chauthtok conversation my_conv1 called
pam_chauthtok result 19 (Conversation error)
ERROR: wrong conversation function called by PAM

Expected Results:
(This is on Solaris 8, which works OK: see that for pam_chauthtok
myconv2 is called.)
$ gcc wrong-conv-function.c -lpam
$ sudo ./a.out
pam_start result 0 (Success)
pam_authenticate conversation my_conv1 called
pam_authenticate result 6 (Conversation failure)
pam_set_item result 0 (Success)
pam_chauthtok conversation my_conv2 called
pam_chauthtok result 6 (Conversation failure)
Test passed OK

Additional info:

Also mention on the PAM mailing list (no response).
https://listman.redhat.com/archives/pam-list/2004-June/msg00027.html

Comment 1 Darren Tucker 2004-06-30 04:14:12 UTC
Created attachment 101528 [details]
wrong-conv-function.c: testcase for PAM conversation change bug


Note You need to log in before you can comment on or make changes to this bug.