pam_succeed_if's pam_sm_setcred

[Ian Ward Comfort]

On 5 Mar 2009, at 10:18 AM, Ian Ward Comfort wrote:
> I have a real-world scenario in which I'd like to use pam_succeed_if  
> to skip setcred for some modules under certain circumstances.

On 5 Mar 2009, at 10:45 AM, Thorsten Kukuk wrote:
> The way the auth stack is navigated in order to evaluate the  
> pam_setcred() function call, independent of the pam_sm_setcred()  
> return codes, is exactly the same way that it was navigated when  
> evaluating the pam_authenticate() library call.

> So what you wish to do is not possible.

On 5 Mar 2009, at 11:12 AM, Ian Ward Comfort wrote:
> Ah, thanks; obviously I missed that section.  (I must be missing  
> something else, too, as I thought I had my pam_authenticate stack  
> skipping this module, but that's for me to investigate.)

I found the problem, thanks to your pointer.  My pam_authenticate  
stack is skipping the module, but the stack is being navigated in an  
sshd privsep child.  When the pam_setcred stack runs later, in the  
parent process, the child's state is of course lost, so the whole  
stack is re-run with no cached retvals and use_cached_chain ==  
_PAM_MAY_BE_FROZEN.

(Actually, the same thing happens without privilege separation on my  
RHEL 5.3 system; I'm not sure what's happening with the pthreads there.)

So, it looks like in this case, making pam_succeed_if's pam_sm_setcred  
functional would actually provide the behavior I want.  However it  
also appears that _PAM_MAY_BE_FROZEN is only intended for backward  
compatibility, so perhaps the fix should really be to OpenSSH, or my  
distro's build of it.  Thoughts?

-- 
Ian Ward Comfort <icomfort at rescomp.stanford.edu>
System Administrator, Student Computing, Stanford University