Public bug reported:
In attempting to fix bug #43465 I have stumbled across this additional
issue.
My common-auth file follows:
auth [default=die success=done authinfo_unavail=reset] pam_unix.so debug
auth [default=die success=1 service_err=reset auth_err=die] pam_krb5.so
use_first_pass debug forwardable
auth [default=die success=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store use_first_pass
The basic idea here is that pam_unix should return success only when it
is successful, and the process should exit successfully. If pam_unix
returns "authinfo_unavail", which basically indicates that no password
is assigned to this user locally or in shadow, the stack should proceed
to the next module. Any other exit value, such as auth_err, should
result in immediate termination.
When run with login, ssh, gdm, and most other pam applications, this
works exactly as expected.
When run from gnome-screensaver, while trying to unlock the screen, this
does not work.
The difference is that gnome-screensaver does not run as root. I suspect
this improperly alters the exit code. Even when run as non-root, the
exit code should still be the same, there is no local shadow entry for
this user and he does not appear in /etc/passwd. He is delivered by
nss_ldap.
This bug is blocking the network-authentication spec.
** Affects: pam (Ubuntu)
Importance: Undecided
Status: Unconfirmed
--
pam_unix returns incorrect return value when not run as root
https://launchpad.net/bugs/67276
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
