Re: PAM rules inside pam.d

From: Ivan Grover <ivangrvr299@xxxxxxxxx>
Date: Fri, 27 Feb 2009 21:40:42 +0530

I debugged pam_unix aswell, it looks like
crypt function is giving different strings for telnet and my application
with same passwd string and salt. So i think the issue could be with crypt
library linked telnet and my application.

please let me know your thoughts

crypt(plaintext_ptr, salt);

On Fri, Feb 27, 2009 at 7:48 PM, Ivan Grover <ivangrvr299@xxxxxxxxx> wrote:

Hi,
Iam sorry my observation was wrong.

I debugged the problem, it looks strange, these are my findings :

I have my PAM rules for my service as

auth required /lib/security/pam_securetty.so
auth required pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so

The pam_unix module returns authentication failure from pam_unix.so from
pam_stack.so , hence the control reaches pam_nologin.so.

The same rules work well with telnet/ftp , but fails for my service

I have checked the username, password passed to PAM module by changing the
sources of pam_nologin.so, they are proper. I didnt had sources for
pam_unix, so iam not able to detect the exact problem.

My suspect is that my application using my PAM service might have done some
fd leaks or any other problem. But the max fds open by my application are
185 which is still below max limit(OPEN_MAX)

Restarting the application resolves the problem and iam able to
authenticate user

can anyone help me what could be the problem.

Thanks and Best Regards,

On Wed, Feb 25, 2009 at 1:11 AM, Dag-Erling Smørgrav <des@xxxxxx> wrote:

Ivan Grover <ivangrvr299@xxxxxxxxx> writes:

Now, after upgrading PAM modules (pam_unix.so, pam_stack.so..) and
library [...]

Upgrading from what to what?

Have you tried the standard debugging procedure?

DES
--
Dag-Erling Smørgrav - des@xxxxxx

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

References:
- PAM rules inside pam.d
  - From: Ivan Grover
- Re: PAM rules inside pam.d
  - From: Dag-Erling Smørgrav
- Re: PAM rules inside pam.d
  - From: Ivan Grover

Prev by Date: Re: PAM rules inside pam.d
Previous by thread: Re: PAM rules inside pam.d
Index(es):
- Date
- Thread

Relevant Pages

Re: FC3 and Telnet
... Telnet still has lots of uses, especially for debugging ... > in order to allow remote access from a telnet client on a Windows box. ...
(linux.redhat)
Re: FC3 and Telnet
... >Nonsense. ... Telnet still has lots of uses, especially for debugging ... Andy ...
(linux.redhat)
Re: FC3 and Telnet
... Telnet still has lots of uses, especially for debugging ... connections. ... Workers of the world, unite! ...
(linux.redhat)