pam_setcred() failure for applications not using PAM for authentication in RHEL5
Issue
The customer is using Tectia ssh with PKI certificates to establish a passwordless ssh connection to Red Hat Enterprise Linux servers. Access is granted based on a users PKI certificate validity. The usual PAM authentication modules (like pam_unix, pam_ldap, pam_kerberos) are not used. The sshd2 pam configuration looks like this:
auth required pam_tally2.so deny=5 unlock_time=1800
auth required pam_env.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_access.so accessfile=/etc/ldf/netgroupaccess.conf
account required pam_tally2.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_mkhomedir.so
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
A problem was encountered when the pam module PAM_TALLY2 was removed from this stack. On investigation the Tectia PAM session error was focused on pam_setcred returning PAM_PERM_DENIED.
This problem can affect any application that does not really use PAM for authentication.
Environment
Red Hat Enterprise Linux 5.3
x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
