Bug 126985 - PAM does not use new conversation function after pam_set_item(.., PAM_CONV, ..)
PAM does not use new conversation function after pam_set_item(.., PAM_CONV, ..)
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
2
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
http://www.zip.com.au/~dtucker/openss...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-30 00:12 EDT by Darren Tucker
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: pam-0.77-61
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-27 03:18:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
wrong-conv-function.c: testcase for PAM conversation change bug (1.62 KB, text/plain)
2004-06-30 00:14 EDT, Darren Tucker
no flags Details

  None (edit)
Description Darren Tucker 2004-06-30 00:12:36 EDT
Description of problem:
PAM does not use the new conversation function after
pam_set_item(pamh, PAM_CONV, &newconv) even though pam_set_item
returns a success.

This is demonstrated by the testcase (which I'll also attach if I can).

This, BTW, is probably the reason that OpenSSH's sshd gets
"authentication token manipulation" errors when trying to change
expired passwords) on Redhat and Fedora in some cases (more so with
older sshd's but still possible with current versions).

Version-Release number of selected component (if applicable):
pam-0.77-40

How reproducible:
Always

Steps to Reproduce:
1. Compile testcase
2. Run ./a.out
3. Note that myconv1 is called instead of myconv2.

Actual Results:
$ gcc wrong-conv-function.c -lpam
$ sudo ./a.out
pam_start result 0 (Success)
pam_authenticate conversation my_conv1 called
pam_authenticate result 3 (Error in service module)
pam_set_item result 0 (Success)
pam_chauthtok conversation my_conv1 called
pam_chauthtok conversation my_conv1 called
pam_chauthtok conversation my_conv1 called
pam_chauthtok result 19 (Conversation error)
ERROR: wrong conversation function called by PAM

Expected Results:
(This is on Solaris 8, which works OK: see that for pam_chauthtok
myconv2 is called.)
$ gcc wrong-conv-function.c -lpam
$ sudo ./a.out
pam_start result 0 (Success)
pam_authenticate conversation my_conv1 called
pam_authenticate result 6 (Conversation failure)
pam_set_item result 0 (Success)
pam_chauthtok conversation my_conv2 called
pam_chauthtok result 6 (Conversation failure)
Test passed OK

Additional info:

Also mention on the PAM mailing list (no response).
https://listman.redhat.com/archives/pam-list/2004-June/msg00027.html
Comment 1 Darren Tucker 2004-06-30 00:14:12 EDT
Created attachment 101528 [details]
wrong-conv-function.c: testcase for PAM conversation change bug

Note You need to log in before you can comment on or make changes to this bug.