Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pamusb breaks vsftpd system auth #100

Closed
mcdope opened this issue Nov 19, 2021 · 5 comments · Fixed by #119
Closed

pamusb breaks vsftpd system auth #100

mcdope opened this issue Nov 19, 2021 · 5 comments · Fixed by #119
Assignees
@mcdope
Labels
bug Something isn't working
Milestone
0.9.0

Comments

@mcdope
Copy link
Owner

mcdope commented Nov 19, 2021

By default vsftpd (at least on Ubuntu) uses normal user accounts configured in the system, and all the PAM modules configured in common-auth.

For some reason pamusb causes a crash in vsftpd and prevents successful authentication. I had to create copy of /etc/pam.d/common-auth not containing pamusb and include that copy instead of common-auth in vsftpd pam config.
@mcdope mcdope added the bug Something isn't working label Nov 19, 2021
@mcdope mcdope added this to the 1.0.0 milestone Nov 19, 2021
@mcdope mcdope self-assigned this Nov 19, 2021
@mcdope
Copy link
Owner Author

mcdope commented Nov 20, 2021

Can't reproduce crash so far, however - returning "denied" definitely prevents password auth of system users.

@mcdope
Copy link
Owner Author

mcdope commented Nov 20, 2021
edited
Loading

This could actually point to pam.c:73. Guess we should return PAM_IGNORE or maybe PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR in case we aren't sure about remoteness...

edit In #51 we introduced the 0 state for being local which is used for unknown remoteness and return as PAM_AUTH_ERR

@mcdope
Copy link
Owner Author

mcdope commented Nov 20, 2021

interesting... even with PAM_IGNORE returned vsftpd won't continue with pam_unix...

@mcdope
Copy link
Owner Author

mcdope commented Nov 20, 2021

Hmpf... This simply shouldn't happen with a sufficient module.

That PAM_IGNORE didn't changed anything isn't that surprising actually since sufficient translates to [success=done new_authtok_reqd=done default=ignore].

But nonetheless - pam should just continue with pam_unix... Guess this need some serious debugging galore...

@mcdope mcdope mentioned this issue Dec 19, 2021
Merged
@mcdope
Copy link
Owner Author

mcdope commented May 14, 2022

Note for myself: recheck - maybe the fix for #115 also fixed this. not exactly likely, but still...

mcdope added a commit that referenced this issue May 15, 2022
@mcdope
#100: pam.c -> check PAM_RHOST item to disable ourself for obvious re…
090bd96 
…mote requests
@mcdope mcdope mentioned this issue May 15, 2022
Merged
mcdope added a commit that referenced this issue May 15, 2022
@mcdope
#100: pam.c -> check PAM_RHOST item to disable ourself for obvious re…
c33d37e 
…mote requests
@mcdope mcdope modified the milestones: 1.0.0, 0.9.0 Aug 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mcdope mcdope

Labels
bug Something isn't working
Projects
None yet
Milestone
0.9.0
Development

Successfully merging a pull request may close this issue.

#100: pam.c -> check PAM_RHOST item to disable ourself for obvious re… mcdope/pam_usb
1 participant
@mcdope