You may have a library conflict as GDM and pam will have loaded into the process
almost every shared labrary, from X11, LDAP, nss, Kerberos, OpenSSL ...
make sure your pam module is linked as a module, so it gets the right versions
of routines, not some duplicate named routine from some previously loaded
module.
You can also have your module write a lot of debug output to syslog.
Have you looked at any of the pam PKCS#11 modules? Google for: gdm smart card.
For example there are a number of pam_krb5 modules that can use smart cards
to authenticate to Kerberos or Windows AD using the Kerberos PKINIT protocol,
and they work from GDM, and use pcscd. There is also the OpenSC pam_pkcs11
module
for local authentication.
On 10/4/2010 8:41 PM, Matthew Brown wrote:
Hello,
I realize this has been discussed before, yet I failed to find something
directly relevant to my issue.
I am somewhat new to writing PAM modules and using PCSC, however, after
much research and trying I cannot get around this.
Although my final problem is entrenched in a larger set of code, I have
managed to isolate the issue I am experiencing to a fairly simple PAM
module that I have put into the gdm stack. Basically, in
pam_authenticate, I do the following (pseudo-code) :
pam_prompt : "enter YES to try the card"
{
if YES, then perform a very basic PCSC set of calls :
GetContext
GetReaders
GetStateChange - passing UNAWARE to get the current state
GetStateChange - block with some reasonable timeout, awaiting a state
other than the initial
ReleaseContext
pam_prompt: "done. card event or timeout over. enter anything to continue"
}
return PAM_SUCCESS
This module is entered as "auth required test_module.so", which will
return success and continue to PAM_UNIX and ask for a username and password.
When I run the same set of PCSC calls in a simple app from the command
line, i.e. NOT from within the GDM PAM environment, everything is fine.
However, when I actually logout and get GDM to run my module, it is my
belief that any actual state change that occurs with my single usb card
reader causes PAM to restart the GDM login process. What I experience is
the first prompt, to which I enter "YES", then either insert or remove
the card, and I quickly see the final "done. card event" prompt, yet
very quickly it will reset the process - the screen blinks and I am
prompted again with "enter YES...". If I initially enter "NO", I am
taken right to the standard username prompt, as expected.
A look at the /var/log/messages file reveals a few hints :
gdm[pid] : conversation failed
gdm[pid] : gdm_cleanup_children: child [...] crashed of signal 11
gdm[pid] : gdm_cleanup_children: slave crashed, killing it's children
and /var/log/secure has something like this :
pam_succeed_if(gdm:auth) error retrieving user name: Conversation error
This looks to me like a segfault occured somewhere, the result of which
is that PAM was unable to get my username, either because of or after
which it restarts. Yet as I said, when I run this exact set of PCSC
calls as a simple command line application through valgrind and gdb, all
is well. If I use this PAM module through SU, it also works without a hitch.
Any advice or help is appreciated.
Thanks much
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
