From: Stefan <vr...@st...> - 2005-09-25 09:39:16
|
Hello all, First of all I must say that I'm not very familiar with the PAM-internals. I've faced problem when tried to configure OpenSSH server (FreeBSD-5.3) with pam_mysql (0.7pre2). Here is the piece of /etc/pam.d/sshd: auth sufficient pam_mysql.so user=... auth required pam_unix.so no_warn use_first_pass It works just fine when user's password is stored in the mysql-database, but fails when user has no password in the mysql, but has it in the unix shadow-file (root-password for example). I've found this code in the pam_mysql.c: switch (pam_mysql_check_passwd(ctx, user, passwd, !(flags & PAM_DISALLOW_NULL_AUTHTOK))) { case PAM_MYSQL_ERR_SUCCESS: retval = PAM_SUCCESS; break; case PAM_MYSQL_ERR_NO_ENTRY: retval = PAM_USER_UNKNOWN; goto out; case PAM_MYSQL_ERR_MISMATCH: retval = PAM_AUTH_ERR; goto out; case PAM_MYSQL_ERR_ALLOC: retval = PAM_BUF_ERR; goto out; default: retval = PAM_SERVICE_ERR; goto out; } (void) pam_set_item(pamh, PAM_AUTHTOK, passwd); out: if (passwd != NULL) { xfree_overwrite(passwd); } But in this case the authtoken wouldn't be passed to the next module in the chain unless PAM_MYSQL_ERR_SUCCESS is returned. Is it right? -- Regards, Stefan |