AnsweredAssumed Answered

RSA PAM Agent not returning PAM_AUTHINFO_UNAVAIL when ACE server unreachable

Question asked by Grant Ashton on Nov 20, 2017
Latest reply on Dec 9, 2017 by Grant Ashton

Why does the RSA SecurID PAM Agent not return PAM_AUTHINFO_UNAVAIL (9) when it can't connect the RSA ACE server? Instead it returns PAM_AUTH_ERR which is indistinguishable from a genuine authentication failure.


The acetest binary is able to detect this state, however the library does not return this state.


# /opt/pam/bin/64bit/acetest
Cannot communicate with the ACE/Server.


# ./ grant.ashton
USERNAME: grant.ashton
Authentication failure (7)


Really the module should return PAM_AUTHINFO_UNAVAIL in this state. So that applications can use this to detect that the authentication service is down and handle this situation. In my situation I need to be able to perform other checks if the ACE server(s) are unreachable.


How I would expect it to behave:

# ./ grant.ashton
USERNAME: grant.ashton
Authentication service cannot retrieve authentication info (9)





Useful Link: