pam module doesn't allow for incremental deployment #27
Comments
Comment #1 originally posted by Abubakar.Masood on 2011-01-28T16:24:07.000Z: I tried adding the code above in pam_google_authenticator.c. After adding, i made a new copy of google-authenticator for 1 user on ma computer, configured google-authenticator with ssh access. But it still looks like it does not allow me to access the not configured user through ssh. Anything I am missing? |
Comment #2 originally posted by valient on 2011-01-29T21:55:27.000Z: The code is contained in an #ifdef which is not enabled by default. You'll need to add "#define ALLOW_UNCONFIGURED_USERS" to the top of the file to make it work. Or else remove the #ifdef and #endif lines from the patch.. |
Comment #3 originally posted by jeremy.kitchen on 2011-02-16T20:50:58.000Z: this patch is fine, but I think it should be a module parameter and not a compile time thing. auth required pam_google_authenticator.so pass_if_unconfigured something like that. |
Comment #4 originally posted by brian@microcomaustralia.com.au on 2011-02-21T00:19:44.000Z: Seems to be broken for su, on Debian Squeeze with Lenny kernel. According to strace (strace is setuid root so I can strace setuid root programs): [...] Still trying to understand why access(...) returns EACCES instead of ENOENT. Maybe a kernel issue with my older kernel? Everything works fine if /root/.google_authenticator exists. |
Comment #5 originally posted by valient on 2011-02-24T00:41:28.000Z: Attached is a patch that adds two arguments to the pam module:
For example, if the following is specified in a pam config file: auth required pam_google_authenticator.so pass_unconfigured suffix=.auth then when a user "foo" attempts to gain access, the module will look for "/home/foo.auth/.google_authenticator", and will return success if that file does not exist. This patch is a diff of the head against my branch, so it also contains a one-line bug fix for blocked code handling. |
Comment #6 originally posted by brian@microcomaustralia.com.au on 2011-02-27T23:26:09.000Z: At quick glance, I think the patch in comment # 5 will suffer from the same problem I have in comment # 4. I just reproduced this problem on an up-to-date Ubuntu system. Still investigating. |
Comment #7 originally posted by Abubakar.Masood on 2011-02-28T15:07:19.000Z: This problem can be solved by adding a CONFIG FILE (which could be user defined) and adding the code on the first post in an if statement which reads from the config file. I have added a config file with settings for allowing/not allowing unconfigured users and it works fine. |
Comment #8 originally posted by paul.devrieze on 2011-02-28T16:34:15.000Z: As an alternative, I've created a patch # 32 that lets the module return various codes to the pam stack. You can then handle those in whatever way desired (including forcing the user to create the token) by leveraging pam. |
Comment #9 originally posted by markus@google.com on 2011-03-09T20:26:23.000Z: <empty> |
Comment #10 originally posted by markus@google.com on 2011-03-12T02:48:47.000Z: See issue # 24 for dealing with encrypted home directories. |
Comment #11 originally posted by fredemmott on 2011-08-20T09:00:28.000Z: Here's a workaround:
#!/bin/sh
auth [success=1 default=ignore] pam_exec.so quiet /usr/local/sbin/no-google-authenticator "[success=1 default=ignore]" means "on success, skip the next 1 auth provider (google), on failure, just pretend it didn't happen" |
Original issue 27 created by valient on 2011-01-18T08:49:42.000Z:
After enabling the PAM module, only users that have setup google authenticator can login.
It may be desirable to allow incremental deployment - allow making authenticator optional if a user hasn't configured it.
diff -r bd9e0af3a6d5 libpam/pam_google_authenticator.c
--- a/libpam/pam_google_authenticator.c Tue Dec 07 11:49:07 2010 -0800
+++ b/libpam/pam_google_authenticator.c Tue Jan 18 00:44:06 2011 -0800
@@ -28,6 +28,7 @@
#include <syslog.h>
#include <time.h>
#include <unistd.h>
+#include <errno.h>
#define PAM_SM_AUTH
#define PAM_SM_SESSION
@@ -571,6 +575,19 @@ static int google_authenticator(pam_hand
}
}
+#ifdef ALLOW_UNCONFIGURED_USERS
+#endif
// Clean up
if (secret) {
memset(secret, 0, secretLen);
The text was updated successfully, but these errors were encountered: