Privacyidea-pam hangs if login is wrong

huckley · June 20, 2017, 7:31pm

Hello,

I am using privacyidea-pam (2.19-1trusty) on a debian jessie.
If I login with the correct auth all works as expected.
If I try to login with a wrong auth, the login hangs on the password and came never back.
I expect that the login says: Login incorrect.
Any Idea what why it hangs?

I debug a little bit and I see that the privacyidea-pam returns 7(pamh.PAM_AUTH_ERR).

the pam.d file says:
account required pam_permit.so
session required pam_permit.so
auth sufficient pam_python.so /lib/security/privacyidea_pam.py url=https://url debug
auth required pam_deny.so

denying login with pam_deny.so works.
denying login with pam_python.so /usr/share/doc/libpam-python-doc/examples/pam_deny.py
works also.

foot3print · June 22, 2017, 9:00am

Hi huckley,

I also use the privacyidea-pam but am not experiencing this. Although my Setup is a little different (2.19 on Ubuntu xenial) but generally i would also have the same effect as you are, i think. Ive tried different scenarios like the following and it seems fine in my case:

Entering wrong password(s) - single/multiple tries.
Entering correct password but wrong OTP - single/multiple tries.
Entering wrong passwords, then cancel it the second try.

Maybe it would be more helpful if you take a look at your ssh-server daemon, logs?

PS. I also have auth sufficient pam_python.so /lib/security/privacyidea_pam.py url=https://url debug

Regards,