Why does pam_pm_setcred fail? #14
Description
I'm trying to build/run pam-oauth2 for an OS like alpine.
PAM always gives an error message:
Authentication service cannot retrieve user credentials
This seems to be caused by:
PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
return PAM_CRED_UNAVAIL;
}
In the oath toolkit (https://oath-toolkit.codeberg.page/) (I know oath, not oauth!)
The equivalent code for pam_sm_setcred just returns a PAM_SUCCESS.
And in pam_ldap:
https://github.com/PADL/pam_ldap/blob/656448f091cbeb9efb3ece08e6868e40b8e7b6f8/pam_ldap.c#L3551
return PAM_SUCCESS;
Is that something "bad" (I don't fully understand what setcred is trying to do...) we could just tweak your code to do that!
Example Dockerfile:
FROM alpine
RUN apk add gcc make linux-pam linux-pam-dev libcurl curl-dev openssl-dev linux-pam musl-dev shadow-login syslog-ng
ADD https://github.com/CyberDem0n/pam-oauth2.git /app
# It gets the submodules already
WORKDIR /app
RUN make
RUN DESTDIR=/usr make install
RUN cat <<EOF >/usr/lib/pam.d/login
auth sufficient pam_oauth2.so http://oauthserver:8000/?access_token= uid grp=tester
account sufficient pam_oauth2.so
account sufficient pam_permit.so
EOF
RUN adduser -D foo
Change the oauthserver to your server address, docker build -t oauth, docker run -it oauth and run syslog-ng so you can see any logs, then login foo. If you've got everything else set, you should see a failure in /var/log/auth.log . If you got the password right, it should have the message above.
If I add:
RUN sed -i 's/PAM_CRED_UNAVAIL/PAM_SUCCESS/` pam_oauth2.c
Before the make, then I can login fine. Or if I supply a bad password fail to login. So it feels like nothing is "broken"...
(Or you can run that sed command in the running container and make and install , then try login again)