This was reported downstream on SES 5.5:
During the execution of auth.authenticate() there's a call to pam_conversation() which is supposed to simply return the password. But there's an additional parameter userData that prevents the successful return of that password, so the authentication fails.
The authentication succeeded after we simply removed the parameter (we haven't noticed negative impacts yet). This is our small change:
# diff -u /usr/share/openattic/pamauth.py.dist /usr/share/openattic/pamauth.py
--- /usr/share/openattic/pamauth.py.dist 2019-08-21 16:13:41.461778578 +0200
+++ /usr/share/openattic/pamauth.py 2019-08-21 16:13:48.181641816 +0200
@@ -43,7 +43,7 @@
self.service = service
self.userPassword = ""
- def pam_conversation( self, auth, query_list, userData):
+ def pam_conversation( self, auth, query_list):
""" This method will be called by PAM (authenticate()) to
retrieve authentication tokens. We can only answer with
the password and hope it works (we don't know anything else).