pam_setcred() failure for applications not using PAM for authentication in RHEL5

Solution Verified - Updated -

Issue

The customer is using Tectia ssh  with PKI certificates to establish a passwordless ssh connection to Red Hat Enterprise Linux servers. Access is granted based on a users PKI certificate validity. The usual PAM authentication modules (like pam_unix, pam_ldap, pam_kerberos) are not used. The sshd2 pam configuration looks like this:

auth        required      pam_tally2.so deny=5 unlock_time=1800
auth        required      pam_env.so
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_access.so accessfile=/etc/ldf/netgroupaccess.conf

account     required      pam_tally2.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

session     optional      pam_keyinit.so revoke
session     required      pam_mkhomedir.so
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

A problem was encountered when the pam module PAM_TALLY2 was removed from this stack. On investigation the Tectia PAM session error was focused on pam_setcred returning PAM_PERM_DENIED.

This problem can affect any application that does not really use PAM for authentication.

Environment

Red Hat Enterprise Linux 5.3

x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.