PAM_AUTHTOK contents

Question

PAM_AUTHTOK contents

Closed this issue 3 years ago · 2 comments

When calling pam_script_auth during auth for sshd (configured as required), i get the cleartext password in PAM_AUTHTOK only when the login is successful. Great.
However, if the login is unsuccessful the PAM_AUTHTOK environment variable contains a couple of binary characters and not the password in the clear, as expected.
Is this a bug in pam-script?

Answer 1 · 2021-10-22T14:49:08.000Z

I tried the same thing with pam_exec and the behaviour is the same: If the user exists i get a proper value in PAM_AUTHTOK, if not the value is binary gibberish.
Probably not a pam_script issue then.

Answer 2 · 2021-10-23T14:13:49.000Z

It's openssh's fault, it doesn't provide the entered passwords for invalid users.