# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1
The authenticate chokes on pam_dial_auth.so.1
becuase I haven't set PAM_TTY - it fails with
the following error
PAM_SERVICE_ERR
Error in the calling service, PAM_TTY is not set.
Setting PAM_TTY to anything before calling pam_authenticate seems to
make the authenticate succeed.
pam_set_item(pamh, PAM_TTY, "app"); //This seems to do the trick.
Also changing the entry in pam.conf to sufficient also works
login auth sufficient pam_dial_auth.so.1
Googling also found me similiar things.
For eg.
http://forgecvs1.novell.com/viewcvs/openssh/openssh/auth-pam.c?view=markup&rev=1.1&sortby=rev
#ifdef PAM_TTY_KLUDGE
/*
* Some silly PAM modules (e.g. pam_time) require a TTY to operate.
* sshd doesn't set the tty until too late in the auth process and
* may not even set one (for tty-less connections)
*/
debug("PAM: setting PAM_TTY to \"ssh\"");
sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh");
if (sshpam_err != PAM_SUCCESS) {
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
return (-1);
}
#endif
So is this a bug (asking because of the PAM_TTY_KLUDGE statement above)?
Or is this absolutely required?
Also will setting it something random like "app" - will this cause problems
on Solaris
or any other platforms (linux or other unixes).
I am also thinking of changing my service name so that people can add
a new section in pam.conf for my service but this is more painful for the
end user.
Is there any other workarounds I can use?
> I have an application which uses PAM authentication.
>My code does a pam_start & then a pam_authenticate.
>The pam_start uses "login" as the service name. I don't
>do any pam_set_item before Authentication.
Your own application should use its own service name.
>This works on linux, but on Solaris the default /etc/pam.conf
>has the following settings for the login service.
># login service (explicit because of pam_dial_auth)
>login auth requisite pam_authtok_get.so.1
>login auth required pam_dhkeys.so.1
>login auth required pam_dial_auth.so.1
>login auth required pam_unix_cred.so.1
>login auth sufficient pam_unix_auth.so.1
>login auth required pam_ldap.so.1
>The authenticate chokes on pam_dial_auth.so.1
>becuase I haven't set PAM_TTY - it fails with
>the following error
Yep, that's probably because "pam_dial_auth" *requires* the tty name
because it needs to figure out whether the current tty is a dial-up
and if that is the case, it can prompt for a specific password for
that dial-up.
>Also changing the entry in pam.conf to sufficient also works
>login auth sufficient pam_dial_auth.so.1
No, don't do that; pam_dial_auth will not allows login,
probably even without a password.
The "login" service isn't the proper service, specifically because
of the old SVr4 "pam_dial_auth" behaviour of asking a dial-up
password.
Or you can just remove the pam_dial_auth from the login stack.
Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
Thanks for your reply, Casper.
>>Also changing the entry in pam.conf to sufficient also works
>>login auth sufficient pam_dial_auth.so.1
>
> No, don't do that; pam_dial_auth will not allows login,
> probably even without a password.
Everything else (snipped) was clear, but I don't understand
the above. Why do you say "don't do that"?
Also, setting PAM_TTY in my app to some dummy stuff before
calling pam_authenticate also works.
pam_set_item(pamh, PAM_TTY, "app"); //This seems to do the trick.
Should I do this instead if I want to use the "login" service?
I meant "now". Sufficient will cause it to test "pam_dial_auth"
and it will return "OK" and then the rest of the stack is
cut short.
>Also, setting PAM_TTY in my app to some dummy stuff before
>calling pam_authenticate also works.
>pam_set_item(pamh, PAM_TTY, "app"); //This seems to do the trick.
>Should I do this instead if I want to use the "login" service?
Make your own?
>Also, setting PAM_TTY in my app to some dummy stuff before
>calling pam_authenticate also works.
>pam_set_item(pamh, PAM_TTY, "app"); //This seems to do the trick.
>Should I do this instead if I want to use the "login" service?
To clarify:
The services listed in /etc/pam.conf have their own PAM stack because
they have specific requirements. Since your program isn't "login"
it should not pretend it is "login".
You define your own service name "yourservice", and then you either
need define your own service in /etc/pam.conf or you use the default,
"other":
Login has:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1 # Special for login!
The default has:
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
(you appear to use "pam_ldap" and it should be listed too)
Do you know which service does telnet uses?
After setting pam_dial_auth as sufficient, I tried to telnet - but
I couldn't get in without a password. Only on supplied the right
pwd for the ldap user, I could get in.
From your other post
> You define your own service name "yourservice", and then you either
> need define your own service in /etc/pam.conf or you use the default,
> "other":
Yes, that's the long term fix I am planning, but that's more complicated.
This would mean that when my app is installed, my installer would have make
changes to pam.conf to get it to work. And that's more complicated because
in Solaris, it's pam.conf. On some Linuxes, I found a /etc/pam.d directory
with a separate file for each service name.
So unless there is a common api defined which encapsulates these differences
& allows me to do these configurations on different OS's this becomes more
complicated. Hence I am looking for a quick fix for now - which will not
compromise security in any way. Hence wondering if setting PAM_TTY to
some dummy value is the right way to go & if there are any problems in
doing that.
> (you appear to use "pam_ldap" and it should be listed too)
True - but I am surprised as to how you knew this?
I re-read my original post but couldn't find what I wrote which lead
to this right conclusion :-)
>
> Casper
Looks like other is defined on my Solaris box as
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
So looks if in my app, I call pam start with "my_app_name" as my service
name,
then it looks like all the above will come into play & hence will suit my
purpose.
Hopefully, other is defined similiarly on other platforms also.
>Do you know which service does telnet uses?
It probably runs "login" and it uses the "login" service.
>After setting pam_dial_auth as sufficient, I tried to telnet - but
>I couldn't get in without a password. Only on supplied the right
>pwd for the ldap user, I could get in.
Ah, right, because you have ldap.
>True - but I am surprised as to how you knew this?
It's in one of your posts.
telnetd is the PAM client, so you can see in its man page what service
name it uses.
On many (most?) flavors of unix, telnetd uses the login service name,
but on Solaris, it has its own - "telnet". If no "telnet" service in
one or more modules, telnetd uses "other" for that module type...
-Mike