#440516 libpam-otpw: pam_otpw session module does not work

Package:
libpam-otpw
Source:
otpw
Description:
Use OTPW for PAM authentication
Submitter:
Sam Morris
Date:
2021-09-22 04:49:13 UTC
Severity:
important
Tags:
#440516#5
Date:
2007-09-02 11:34:59 UTC
From:
To:
The session module functionality of pam_otpw does not work.

In /etc/pam.d/ssh I have:

  session optional pam_otpw.so

But when I log in, I am not told how many passwords I have left.
Instead, the following is logged to syslog at error priority:

  Sep  2 12:34:36 crypt ssh(pam_otpw)[23503]: pam_get_data() failed

#440516#10
Date:
2007-09-02 20:41:57 UTC
From:
To:
tag 440516 unreproducible
thanks

mjj29@adonis:~$ grep otpw  /etc/pam.d/common-session
session  optional pam_otpw.so

mjj29@adonis:~$ su
Password 149:
Password:
Remaining one-time passwords: 280 of 280
adonis:~#

I did also see a similar message, but only once in the logs and I
can't reproduce it.

Hmm, there may be a problem with a mixed sid/etch environment, which is
officially unsupported, but I was also running with that setup and had
working session on ssh logins (don't have one to hand to test right now
though)

Can you reproduce it on any other system, particularly a pure-sid one?

Thanks,
Matt

#440516#17
Date:
2007-09-11 15:40:17 UTC
From:
To:
Also works for me with su (if I also add pam_otpw to /etc/pam.d/su). So
this appears to be specific to sshd.

If you could try again at some point, or at least let me know how you
configured the OTPW pam modules, I'd be much obliged. :)

I'll
-- 
Sam Morris <sam@robots.org.uk>

#440516#22
Date:
2009-01-09 11:10:25 UTC
From:
To:
Hi,
as a workaround it is possible to use something like

if [ "$SSH_TTY" -a -f $HOME/.otpw ]; then
  PW_LINES=$(wc -l <$HOME/.otpw)
  PW_USED=$(grep -- ---- $HOME/.otpw | wc -l)
  echo "OTPW $PW_USED/`echo $PW_LINES-2 | bc` used"
fi

It works, when you use otpw with ssh.
Kind regards,
Wolfgang

#440516#25
Date:
2009-01-09 11:10:25 UTC
From:
To:
Hi,
as a workaround it is possible to use something like

if [ "$SSH_TTY" -a -f $HOME/.otpw ]; then
  PW_LINES=$(wc -l <$HOME/.otpw)
  PW_USED=$(grep -- ---- $HOME/.otpw | wc -l)
  echo "OTPW $PW_USED/`echo $PW_LINES-2 | bc` used"
fi

It works, when you use otpw with ssh.
Kind regards,
Wolfgang

#440516#30
Date:
2011-03-18 11:53:07 UTC
From:
To:
Hi,

This (relatively old) bug asks if it exists in a pure environment.  It
does seem to exist in 1.3-2 on a pure squeeze system.

If telnetd is used, it works; if sshd, then the session module returns an
error which is logged as per the original report.

I (1) installed a fresh squeeze inside virtualbox; (2) set
/etc/ssh/sshd_config to include UsePrivilegeSeparation no,
ChallengeResponseAuthentication yes; (3) set /etc/pam.d/ssh to include the
two pam_otpw.so lines.

I haven't investigated further to see if the problem lies in otpw, or the
PAM data it receives from ssh.

Cheers,

Phil.

#440516#33
Date:
2011-03-18 11:53:07 UTC
From:
To:
Hi,

This (relatively old) bug asks if it exists in a pure environment.  It
does seem to exist in 1.3-2 on a pure squeeze system.

If telnetd is used, it works; if sshd, then the session module returns an
error which is logged as per the original report.

I (1) installed a fresh squeeze inside virtualbox; (2) set
/etc/ssh/sshd_config to include UsePrivilegeSeparation no,
ChallengeResponseAuthentication yes; (3) set /etc/pam.d/ssh to include the
two pam_otpw.so lines.

I haven't investigated further to see if the problem lies in otpw, or the
PAM data it receives from ssh.

Cheers,

Phil.

#440516#38
Date:
2012-06-24 22:43:45 UTC
From:
To:
The pam_otpw.so session module version 1.3-2 in Wheezy does not print out the number of
passwords reminder as expected.
I think this is because the function pam_sm_open_session trying to get the challenge data from
the handle provided, but that handle does not contain the challenge (which had been setup
during the authentication phase) because we are now running in a different process than the one
where the authentication happened. So the challenge data is NULL and the module aborts.

The attached patch for pam_otpw.c (v1.3-2) fixes this and issues correct password reminders on
my Wheezy system.

#440516#45
Date:
2013-01-24 21:49:49 UTC
From:
To:
Seeing this exact issue, with the offending log entry, in an up to date
Wheezy system.
pam_otpw was added to /etc/pam.d/sshd by commenting the "@include
common-auth" line and adding "auth required pam_otpw.so" and "session
optional pam_otpw.so" directly below it.

#440516#50
Date:
2021-09-22 04:24:44 UTC
From:
To:
Hello,

Good morning,

We have gone through your samples from a partner and Here is our  Order
List. Please do bear in mind that we are very much in  need of this
order, quote your competitive prices.

Kindly send the Order confirmation.

Your early reply will be much appreciated.

Best Regards,

Maryanah Erwin.

PT FINDORA INTERNUSA

Jln Pahlawan 66 Kec. Arjawinangun

45162 CIREBON West-Java INDONESIA

tel : +62 231 357334

fax: +62 231 357260

email: marketing@findora.com

#440516#53
Date:
2021-09-22 04:24:44 UTC
From:
To:
Hello,

Good morning,

We have gone through your samples from a partner and Here is our  Order
List. Please do bear in mind that we are very much in  need of this
order, quote your competitive prices.

Kindly send the Order confirmation.

Your early reply will be much appreciated.

Best Regards,

Maryanah Erwin.

PT FINDORA INTERNUSA

Jln Pahlawan 66 Kec. Arjawinangun

45162 CIREBON West-Java INDONESIA

tel : +62 231 357334

fax: +62 231 357260

email: marketing@findora.com