Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHEL8, pam_succeed_if.so and SSHD "PAM: pam_setcred" error #81

Open
nyetsche opened this issue Jan 24, 2024 · 0 comments
Open

RHEL8, pam_succeed_if.so and SSHD "PAM: pam_setcred" error #81

nyetsche opened this issue Jan 24, 2024 · 0 comments

Comments

@nyetsche
Copy link

Thank you for this useful project!

I'm using the module with a conditional, as described in the documentation. The intent is that members of the unregistered group membership doesn't need a token, as we slowly enroll users. Example code:

googleauthenticator::pam::mode {
    'unregistered':
      condition => 'user ingroup unregistered',
}

googleauthenticator::pam {
    'sshd':  mode => 'unregistered';
}

This creates the auth section in /etc/pam.d/sshd:

auth       substack     password-auth
auth       include      postlogin
auth include google-authenticator-unregistered
account    required     pam_sepermit.so
[...]

And the file /etc/pam.d/google-authenticator-unregistered:

auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup unregistered
auth required pam_google_authenticator.so

Logging in w/ SSH fails BOTH for password+token, and with just password.

From the ssh client, the error is:

client_loop: send disconnect: Broken pipe

The /var/log/secure (sshd & PAM logs) are:

Jan 24 15:41:39 HOSTNAME-rhel8 sshd(pam_google_authenticator)[4202]: Accepted google_authenticator for MYUSERNAME
Jan 24 15:41:39 HOSTNAME-rhel8 sshd[4197]: Accepted keyboard-interactive/pam for MYUSERNAME from ::1 port 53708 ssh2
Jan 24 15:41:39 HOSTNAME-rhel8 sshd[4197]: fatal: PAM: pam_setcred(): The return value should be ignored by PAM dispatch

That's not much to go on, but after some research I came across this suggestion for /etc/pam.d/google-authenticator-unregistered:

auth [default=1 ignore=ignore success=ignore] pam_succeed_if.so quiet user ingroup unregistered
auth required pam_google_authenticator.so

That is, add ignore=ignore to the return actions.

SSH then succeeds:

Jan 24 15:43:49 HOSTNAME-rhel8 sshd(pam_google_authenticator)[4221]: Accepted google_authenticator for MYUSERNAME
Jan 24 15:43:49 HOSTNAME-rhel8 sshd[4219]: Accepted keyboard-interactive/pam for MYUSERNAME from ::1 port 37998 ssh2
Jan 24 15:43:49 HOSTNAME-rhel8 systemd[4227]: pam_unix(systemd-user:session): session opened for user MYUSERNAME by (uid=0)

I'm unsure why ignore=ignore is necessary, I think it's from this function return in pam_succeed_if: https://github.com/linux-pam/linux-pam/blob/8f9d8239344354c5c80d85a326b1a6c6661ea9b6/modules/pam_succeed_if/pam_succeed_if.c#L578

Perhaps the original formulation works on other distributions, but for RHEL8.9 (Ootpa), RPM pam-1.3.1-27.el8.x86_64, and openssh-server-8.0p1-19.el8_8.x86_64, the ignore=ignore action is necessary.

I can create a PR if desired, but I'd like to understand the necessity of doing so in other distributions first. (At the moment I only have access to a RHEL8.9 server). Hopefully this issue and fix helps anyone else who may have the same error.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nyetsche