PAM problems with "success=N" action

Question

I want to run a script when an authentication failure occurs. But, with the following conf file, authenitcation always fails even when the proper credentials are supplied.

auth       [success=1 new_authtok_reqd=ok ignore=ignore default=bad] pam_unix.so
auth       optional     pam_exec.so  /usr/bin/log_failure
password   required     pam_unix.so  md5

Authentication works by changing "success=1" to "success=ok", though obviously the failure script will always run.

I tried looking through the source code of _pam_dispatch_aux and it doesn't seem to return the first rule's return when there is no rule to jump to. If I add another rule so there is something to jump to, everything works.

auth       [success=1 new_authtok_reqd=ok ignore=ignore default=bad]  pam_unix.so 
auth       optional     pam_exec.so  /usr/bin/log_failure
auth       optional     pam_exec.so  /usr/bin/noop
password   required     pam_unix.so  md5

Am I doing something wrong in my conf file, trying something that shouldn't work, or is there a bug?

Answer 1

This is working as intended.

success=n does not contribute to the return of the module stack. The result is that a successful authentication against pam_unix.so returns failure (because nothing returns a success of ok or done), and a failed authentication returns failure (as expected, because pam_exec.so returning success in this context would be Very Bad).

Try the following instead:

auth       sufficient   pam_unix.so
auth       optional     pam_exec.so  /usr/bin/log_failure
password   required     pam_unix.so  md5

sufficient means "stop here if we were successful, otherwise keep going". This should have the desired effect.

If /usr/bin/log_failure is a script though, the security nut in me would be more inclined to try this...

auth       sufficient   pam_unix.so
auth       [default=ignore]     pam_exec.so  /usr/bin/log_failure
password   required     pam_unix.so  md5

This prevents a success returned by log_failure from allowing a login.