https://bugzilla.mindrot.org/show_bug.cgi?id=2408
--- Comment #22 from Vincent Brillault <[email protected]> --- Dear all, Sorry for the long absence of comment. We (CERN) have been using RedHat's patch (see e.g. https://git.centos.org/blob/rpms!openssh.git/c7/SOURCES!openssh-7.4p1-expose-pam.patch) and it's working perfectly for us (I need to update the github page). I had seen yours commits in June (which made sense but I didn't have time to review then) but completely missed your commits in July, thanks for both and sorry for the absence of reply/review. I've tried to take a look at the patches right now. I understand that you have added "expose_authinfo" calls to the do_pam_session & do_pam_account function to make sure that the data is up to date at these points in time. I think this was missing in the patch I submitted, thanks! However, as Radek found out, one important step is missed: the authentication part of pam. What is important for the 2FA case is that this variable is set when calling pam_authenticate, to allow pam modules to make a choice depending on what already happened. In my case (CERN), it's simply skipping the standard password authentication part if there was a successful authentication). Calling "expose_authinfo" just before the pam thread is started, as proposed by Radek, should resolve this problem. I have not tested it, but this is what my patch was doing (see e.g. https://bugzilla.mindrot.org/attachment.cgi?id=2846&action=diff#a/auth-pam.c_sec1) and what RedHat is doing (https://git.centos.org/blob/rpms!openssh.git/c7/SOURCES!openssh-7.4p1-expose-pam.patch#L184). Sorry again and thanks for all your work, Vincent -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
