Red Hat Bugzilla – Bug 126985
PAM does not use new conversation function after pam_set_item(.., PAM_CONV, ..)
Last modified: 2007-11-30 17:10:45 EST
Description of problem: PAM does not use the new conversation function after pam_set_item(pamh, PAM_CONV, &newconv) even though pam_set_item returns a success. This is demonstrated by the testcase (which I'll also attach if I can). This, BTW, is probably the reason that OpenSSH's sshd gets "authentication token manipulation" errors when trying to change expired passwords) on Redhat and Fedora in some cases (more so with older sshd's but still possible with current versions). Version-Release number of selected component (if applicable): pam-0.77-40 How reproducible: Always Steps to Reproduce: 1. Compile testcase 2. Run ./a.out 3. Note that myconv1 is called instead of myconv2. Actual Results: $ gcc wrong-conv-function.c -lpam $ sudo ./a.out pam_start result 0 (Success) pam_authenticate conversation my_conv1 called pam_authenticate result 3 (Error in service module) pam_set_item result 0 (Success) pam_chauthtok conversation my_conv1 called pam_chauthtok conversation my_conv1 called pam_chauthtok conversation my_conv1 called pam_chauthtok result 19 (Conversation error) ERROR: wrong conversation function called by PAM Expected Results: (This is on Solaris 8, which works OK: see that for pam_chauthtok myconv2 is called.) $ gcc wrong-conv-function.c -lpam $ sudo ./a.out pam_start result 0 (Success) pam_authenticate conversation my_conv1 called pam_authenticate result 6 (Conversation failure) pam_set_item result 0 (Success) pam_chauthtok conversation my_conv2 called pam_chauthtok result 6 (Conversation failure) Test passed OK Additional info: Also mention on the PAM mailing list (no response). https://listman.redhat.com/archives/pam-list/2004-June/msg00027.html
Created attachment 101528 [details] wrong-conv-function.c: testcase for PAM conversation change bug