- Package:
- libpam-otpw
- Source:
- otpw
- Description:
- Use OTPW for PAM authentication
- Submitter:
- Sam Morris
- Date:
- 2021-09-22 04:49:13 UTC
- Severity:
- important
- Tags:
The session module functionality of pam_otpw does not work. In /etc/pam.d/ssh I have: session optional pam_otpw.so But when I log in, I am not told how many passwords I have left. Instead, the following is logged to syslog at error priority: Sep 2 12:34:36 crypt ssh(pam_otpw)[23503]: pam_get_data() failed
tag 440516 unreproducible thanks mjj29@adonis:~$ grep otpw /etc/pam.d/common-session session optional pam_otpw.so mjj29@adonis:~$ su Password 149: Password: Remaining one-time passwords: 280 of 280 adonis:~# I did also see a similar message, but only once in the logs and I can't reproduce it. Hmm, there may be a problem with a mixed sid/etch environment, which is officially unsupported, but I was also running with that setup and had working session on ssh logins (don't have one to hand to test right now though) Can you reproduce it on any other system, particularly a pure-sid one? Thanks, Matt
Also works for me with su (if I also add pam_otpw to /etc/pam.d/su). So this appears to be specific to sshd. If you could try again at some point, or at least let me know how you configured the OTPW pam modules, I'd be much obliged. :) I'll -- Sam Morris <sam@robots.org.uk>
Hi, as a workaround it is possible to use something like if [ "$SSH_TTY" -a -f $HOME/.otpw ]; then PW_LINES=$(wc -l <$HOME/.otpw) PW_USED=$(grep -- ---- $HOME/.otpw | wc -l) echo "OTPW $PW_USED/`echo $PW_LINES-2 | bc` used" fi It works, when you use otpw with ssh. Kind regards, Wolfgang
Hi, as a workaround it is possible to use something like if [ "$SSH_TTY" -a -f $HOME/.otpw ]; then PW_LINES=$(wc -l <$HOME/.otpw) PW_USED=$(grep -- ---- $HOME/.otpw | wc -l) echo "OTPW $PW_USED/`echo $PW_LINES-2 | bc` used" fi It works, when you use otpw with ssh. Kind regards, Wolfgang
Hi, This (relatively old) bug asks if it exists in a pure environment. It does seem to exist in 1.3-2 on a pure squeeze system. If telnetd is used, it works; if sshd, then the session module returns an error which is logged as per the original report. I (1) installed a fresh squeeze inside virtualbox; (2) set /etc/ssh/sshd_config to include UsePrivilegeSeparation no, ChallengeResponseAuthentication yes; (3) set /etc/pam.d/ssh to include the two pam_otpw.so lines. I haven't investigated further to see if the problem lies in otpw, or the PAM data it receives from ssh. Cheers, Phil.
Hi, This (relatively old) bug asks if it exists in a pure environment. It does seem to exist in 1.3-2 on a pure squeeze system. If telnetd is used, it works; if sshd, then the session module returns an error which is logged as per the original report. I (1) installed a fresh squeeze inside virtualbox; (2) set /etc/ssh/sshd_config to include UsePrivilegeSeparation no, ChallengeResponseAuthentication yes; (3) set /etc/pam.d/ssh to include the two pam_otpw.so lines. I haven't investigated further to see if the problem lies in otpw, or the PAM data it receives from ssh. Cheers, Phil.
The pam_otpw.so session module version 1.3-2 in Wheezy does not print out the number of passwords reminder as expected. I think this is because the function pam_sm_open_session trying to get the challenge data from the handle provided, but that handle does not contain the challenge (which had been setup during the authentication phase) because we are now running in a different process than the one where the authentication happened. So the challenge data is NULL and the module aborts. The attached patch for pam_otpw.c (v1.3-2) fixes this and issues correct password reminders on my Wheezy system.
Seeing this exact issue, with the offending log entry, in an up to date Wheezy system. pam_otpw was added to /etc/pam.d/sshd by commenting the "@include common-auth" line and adding "auth required pam_otpw.so" and "session optional pam_otpw.so" directly below it.
Hello, Good morning, We have gone through your samples from a partner and Here is our Order List. Please do bear in mind that we are very much in need of this order, quote your competitive prices. Kindly send the Order confirmation. Your early reply will be much appreciated. Best Regards, Maryanah Erwin. PT FINDORA INTERNUSA Jln Pahlawan 66 Kec. Arjawinangun 45162 CIREBON West-Java INDONESIA tel : +62 231 357334 fax: +62 231 357260 email: marketing@findora.com
Hello, Good morning, We have gone through your samples from a partner and Here is our Order List. Please do bear in mind that we are very much in need of this order, quote your competitive prices. Kindly send the Order confirmation. Your early reply will be much appreciated. Best Regards, Maryanah Erwin. PT FINDORA INTERNUSA Jln Pahlawan 66 Kec. Arjawinangun 45162 CIREBON West-Java INDONESIA tel : +62 231 357334 fax: +62 231 357260 email: marketing@findora.com