Date: Thu, 30 Aug 2001 18:15:24 +0200 (CEST) From: Gunnar Kreitz <gunnark@chello.se> To: FreeBSD-gnats-submit@freebsd.org Subject: misc/30250: [PATCH] pam_opie makes authorization fail, despite correct OTP Message-ID: <200108301615.f7UGFOm11335@odin.localnet>
next in thread | raw e-mail | index | archive | help
>Number: 30250
>Category: misc
>Synopsis: [PATCH] pam_opie makes authorization fail, despite correct OTP
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Sep 01 07:00:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Gunnar Kreitz
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
N/A
>Environment:
System: FreeBSD odin.localnet 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed Aug 29 21:25:54 CEST 2001 gunnark@odin.localnet:/usr/obj/usr/src/sys/ODIN i386
>Description:
pam_opie makes authentication fail, despite correct OTP. When debug option is
added in /etc/pam.conf it logs returning PAM_SUCCESS from pam_sm_authenticate
but behaves as if PAM_AUTH_ERR was returned. I belive this comes from the
fact that the argument to the macro PAM_RETURN is evaulated twice and the
check fails the second time around because, as the comment it above states:
"[...] because opieverify mucks with it [its arguments]".
>How-To-Repeat:
Enable pam_opie.so for authentication in /etc/pam.conf. Type in correct
OTP. 8)
>Fix:
Apply this diff. It also makes the calls to pam_std_option in ..._authenticate
and ..._setcred symmetric, which I belive they should be. That part of the
patch is not relevant to the problem but should probably be included in the
cvs tree anyway.
--- pam_opie.diff begins here ---
Index: pam_opie.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.c,v
retrieving revision 1.4
diff -u -r1.4 pam_opie.c
--- pam_opie.c 2001/08/10 19:12:58 1.4
+++ pam_opie.c 2001/08/30 15:47:15
@@ -118,7 +118,8 @@
* it expects. Thus we can't log an error and can only check for
* success or lack thereof.
*/
- PAM_RETURN(opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR);
+ retval = (opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR);
+ PAM_RETURN(retval);
}
PAM_EXTERN int
@@ -126,7 +127,7 @@
{
struct options options;
- pam_std_option(&options, NULL, argc, argv);
+ pam_std_option(&options, other_options, argc, argv);
PAM_LOG("Options processed");
--- pam_opie.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108301615.f7UGFOm11335>