current-users: Re: pam_too_verbose

Subject: Re: pam_too_verbose_
To: Zafer Aydogan <zafer@gmx.org>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: current-users
Date: 08/11/2005 04:10:17
On Nov 21, 10:01am, "Zafer Aydogan" wrote:
} 
} I've installed NetBSD from today's sources and enabled telnet without
} authorization in inetd.conf
} When trying to log in via telnet from another machine following happens:
} 
} 
} NetBSD/i386 (current.aydogan.net) (ttyp0)
} 
} login: root
} 
} Password: <now I'm entering the correct root password>
} login: pam_acct_mgmt: authentication error
} 
} 
} Lost Connection to Host.
} 
} At the first glance, this looks normal.
} But now, another try....
} 
} NetBSD/i386 (current.aydogan.net) (ttyp0)
} 
} login: root
} 
} Password: <now I'm entering a wrong root password>
} Login incorrect
} login: login:
} 
} So, what's the difference ?
} The Verbose PAM Message is telling you, that you have entered the correct
} root password. 
} 
} I would expect, that when I'm entering the right or wrong root password,
} that I'm getting the same Message - "Login incorrect".
} In this case, I think, when authorized, you get through to PAM, which denies
} your login attempt.
} But shouldn't the attempt denied before it is authenticated.

     When you use telnetd without authorization, it simple processes
any telnet options, sets up a pty, and starts /usr/bin/login attached
to the slave side of the pty.  Thus /usr/bin/login is responsible for
authentication and it is the guilty party, not telnetd.

     login calls pam_authenticate() to check the password.  If there is
a problem with the password, login prints "Login incorrect" and loops
back for another try.  If the password is correct, then it calls
pam_acct_mgmt().  If pam_acct_mgmt() gives the okay, then life is good
and the login process proceeds.  If pam_acct_mgmt() says a new password
is required, then it calls it pam_chauthtok() to set a new password.
Otherwise, it calls pam_strerror() and prints the message that you
saw.

     pam_authenticate() is only responsible for checking the password.
pam_acct_mgmt() is responsible for checking to see if it has expired,
whether you are allowed to login on the terminal that you are using,
whether you are allowed to login at that time of day, etc.  The
solution is to have login treat an authentication error from
pam_acct_mgmt() the same way that it treats one from
pam_authenticate().  I will append a patch to your PR.

}-- End of excerpt from "Zafer Aydogan"