Bug 201343 – pam_securetty requires known user to work

Bug 201343 - pam_securetty requires known user to work

Summary:	pam_securetty requires known user to work

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	util-linux (Show other bugs)
Sub Component:
Version:	5.0
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Karel Zak
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:	Reopened

Depends On:
Blocks:	181386 181509
	Show dependency tree / graph

Reported:	2006-08-04 11:08 EDT by Bob Relyea
Modified:	2007-11-30 17:07 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	5.0.0
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2006-11-13 10:35:00 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Bob Relyea 2006-08-04 11:08:05 EDT

Description of problem:

pam modules may change the username as part of the processing. Login needs to
switch to that new user name.

This can be seen by logging in using smart cards.

Version-Release number of selected component (if applicable):

FC6 Test 2, rawhide

How reproducible:

1. Enable Smart Card login.
2. switch to a login screen
3. insert your smart card, hit ' '<enter>
4. Supply your pin

pam_pkcs11 will authenticate you, but your login fails.
If you type your matching user name at step 3 you will be logged in.

The same stack succeeds in gdm.

NOTE: The initial symptoms point to a bug in login, however the problem could be
in pam_pkcs11 as instead.

bob

Comment 1 Tomas Mraz 2006-08-09 13:45:16 EDT

I think that login - same as many other PAM client apps (openssh for example) -
simply doesn't request the new username from PAM when it is called.

Comment 2 Ray Strode [halfline] 2006-08-09 13:52:05 EDT

right, that's what we figured the bug was, too.

Comment 3 Karel Zak 2006-08-10 06:02:22 EDT

Bob, I need more details about "...but your login fails". What do you have in
logs? Is there any error message from login? I need a clue when login process
failed.

Comment 4 Tomas Mraz 2006-08-10 07:35:19 EDT

So actually the problem is caused by pam_securetty (which is in pam config for
login). It is configured as a first PAM module to call and it requires a known
user to work.

This can be fixed calling pam_securetty like this:

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

Comment 5 Karel Zak 2006-08-11 02:09:40 EDT

Tom, is it right use this setting also for "remote" login? Now we use same
configuration for remote and for local login.

Comment 6 Tomas Mraz 2006-08-21 03:58:27 EDT

I think that it should be left as is for remote login if it doesn't complicate
things too much for you.

Comment 10 Jay Turner 2006-09-21 23:38:02 EDT

Reopening based on comment 7.

Comment 11 Karel Zak 2006-09-22 02:54:50 EDT

Fixed in util-linux >= 2.13-0.40.

Comment 13 Bob Relyea 2006-09-26 14:09:17 EDT

1. Switch to a login screen.
2. Insert your smart card.
3. Type ' '<enter> (that is hit the space bar and enter key).
4. You should be prompted with your smart card password. type it.
5. You should be logged in as you.

bob

Comment 15 Jay Turner 2006-11-13 10:35:00 EST

Closing as the fixes are included in the latest RHEL5 trees (20061111.0)

Note You need to log in before you can comment on or make changes to this bug.