hi folks, looking into rlm_pam, I noticed that pam_end is always called with the result_code = PAM_SUCCESS, even when user in not authenticated.This is a mistake when a pam module uses some internal data via the pam_set_data/pam_get_data calls. Taken from http://www.it.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-2.html#ss2.1 ".. The function cleanup() is associated with the data and, if non-NULL, it is called when this data is over-written or following a call to pam_end() (see the Linux-PAM Application Developers' Guide).
The error_status argument is used to indicate to the module the sort of action it is to take in cleaning this data item. As an example, Kerberos creates a ticket file during the authentication phase, this file might be associated with a data item. When pam_end() is called by the module, the error_status carries the return value of the pam_authenticate() or other libpam function as appropriate. Based on this value the Kerberos module may choose to delete the ticket file (authentication failure) or leave it in place." A correct use of pam_end is http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-8.html hope this help in attach there's a patch to solve the problem -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo"
--- rlm_pam.c.orig 2003-07-11 21:51:34.000000000 +0200 +++ rlm_pam.c 2003-11-26 20:15:26.000000000 +0100 @@ -204,7 +204,7 @@ if (retval != PAM_SUCCESS) { DEBUG("pam_pass: function pam_authenticate FAILED for <%s>. Reason: %s", name, pam_strerror(pamh, retval)); - pam_end(pamh, 0); + pam_end(pamh, retval); return -1; } @@ -217,13 +217,13 @@ if (retval != PAM_SUCCESS) { DEBUG("pam_pass: function pam_acct_mgmt FAILED for <%s>. Reason: %s", name, pam_strerror(pamh, retval)); - pam_end(pamh, 0); + pam_end(pamh, retval); return -1; } #endif DEBUG("pam_pass: authentication succeeded for <%s>", name); - pam_end(pamh, 0); + pam_end(pamh, PAM_SUCCESS); return 0; }
signature.asc
Description: PGP signature