[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

pam authentication with one-time use passwords

Matthew Gyurgyik gyurgyikms@ornl.gov
Thu, 5 Dec 2013 13:53:42 GMT


When attempting use pam with conserver, I noticed that conserver was sending multiple authentications to PAM. As our security policy mandates one-time authentication tokens (rsa), multiple authentications using the same password fail.

Poking around in the code I identified 4 places where CheckPasswd() is called.

master.c:464 (CheckPasswd(pCLServing, pCLServing->accmd->string, FLAGFALSE) != AUTH_SUCCESS)
master.c:568 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS)
group.c:3389 (CheckPasswd(pCLServing, pCLServing->accmd->string, FLAGFALSE) != AUTH_SUCCESS)
group.c:3495 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS)

When connecting from a remote client, it seems the authentication code in master.c is called and then the authentication code in group.c is called.

Would it be possible to call CheckPasswd() once, store the result in a global variable, and then pass that global variable to each of the conditional statements?

Additionally, it would appear that the if statement (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) at master.c:568 and group.c:3495 will never evaluate true. As I understand the code, the second variable passed into CheckPasswd should be the user password and in this case, this is blank. The CheckPasswd function doesn't do anything special with a blank password.

My c knowledge in nearly non-existent and therefore my grasp of the authentication code is poor. I don't know the difference between master.c and group.c and why authentication is happening in both master.c and group.c.

Thank you,
Matthew Gyurgyik

Matthew Gyurgyik
HPC System Administrator
National Center for Computational Sciences
Oak Ridge National Laboratory