Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation of 'try_first_pass' PAM option seems inaccurate #94

Open
demern opened this issue May 31, 2024 · 1 comment
Open

Documentation of 'try_first_pass' PAM option seems inaccurate #94

demern opened this issue May 31, 2024 · 1 comment

Comments

@demern
Copy link

demern commented May 31, 2024
edited
Loading

In the USAGE file for this repo, the following is written about the try_first_pass auth option:

try_first_pass - Instead of prompting the user for a password, retrieve
                 the password from the previous authentication module.
                 If the password exists, try it, and return success if it
                 passes.
                 If there was no previous password, or the previous password
                 fails authentication, prompt the user with
                 "Enter RADIUS password: ", and ask for another password.
                 Try this password, and return success/failure as appropriate.

                 This is the default for authentication.

I do not believe this is completely accurate. It seems to me, after experimenting with the configuration on my system and inspecting the source, that pam_radius will not prompt again in the case where a non-NULL, invalid password is passed to it from a previous PAM module. It will simply fail to authenticate the user and pass the password down the chain (assuming the password is not empty, IE *password == ‘\0’. If it is an empty string, nothing is passed on because of this line. Not sure if that should be considered a bug or not. To me it would make sense to pass empty-string passwords on to the next layer...why treat them specially compared to any other password string? Since it’s treated specially, you can end up with weird stuff where your auth stack behaves one way for all invalid passwords a user enters except "", and some other way for "". And either way, it doesn’t seem documented. But I digress...).

If the behavior I've described is 'functioning as designed', or at least not going to be changed at this point, should the documentation be updated to reflect it?
@muzammel111
Copy link

can we disable this option try_first_pass, ? as pam_radius version 2 not working with 2FA (radius + local OS auth) as it prompts again and again to enter password and send requests to radius. As in our case both radius and local OS auth passwords are different.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@demern @muzammel111