On 2/6/25 08:55, Matthias Gerstner wrote:
[...]
On the use of `PAM_SUCCESS`
---------------------------
PAM modules that only serve utility functions but do not actually
authenticate could consider not returning `PAM_SUCCESS` but `PAM_IGNORE`
instead. This would avoid unintended successful authentication in a
situation like described in this report. It seems natural to PAM module
authors to return `PAM_SUCCESS` if nothing in their module failed,
however. A lot of modules work this way and changing them all would be a
big effort.
I have pruned the entire quote down to that paragraph because that is
the root cause of this and other issues. A similar issue occurred two
weeks ago with pam-u2f (CVE-2025-23013) and the same problem of utility
modules returning PAM_SUCCESS despite not actually authenticating anything.
These problems are going to keep happening as long as utility modules
continue to misuse PAM_SUCCESS.
There might be a possible workaround of adding a new keyword "utility"
or "hook" to PAM that ignores success but fails on actual failure and
using that with utility modules.
-- Jacob
