Why doesn't pam_set_data() work with ssh?
Pavel Kankovsky
peak at argo.troja.mff.cuni.cz
Sun Jan 14 13:06:38 UTC 2007
On Fri, 12 Jan 2007, fender wrote:
> This module uses pam_set_data() function to save satus information for
> next login attempts. With login application it works fine, but with
> ssh application it doesn't work.
"ssh" means OpenSSH, right? Afaik, OpenSSH runs PAM authentication in a
standalone process forked off the master process (monitor). The process is
started before every authentication attempt and exits after it. Any
changes made to PAM data during the first attempt are lost before the
next attempt.
You can use some external (out-of-process) storage to store tokens. Or you
can modify your module to be able to send and receive token during a
single authentication attempt (using keyboard-interactive authetication
method). Or you can hack OpenSSH to preserve PAM state between attemps
(doable but quite tricky imho).
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
More information about the Pam-list
mailing list