[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

PAM Questions RE: S/Key



Greetings.  I just picked up the PAM stuff and decided that I wanted to get
S/Key working with it.  I saw that there was an S/Key PAM out there already,
but it doesn't look like that one has been touched recently.  That one doesn't
look like it's "production ready", and it's also using s/key version 1.1.
So I'd like to start out by registering pam_skey2 as an S/Key that's based off
of the libskey version 2.2.

This afternoon I was able to get most of the way there.  If anyone else is
interested in an S/Key PAM, it'll probably be ready for early testing in
the next couple of days.  However, I have a couple of questions.

First, a quick overview.  S/Key has an skey.access file that allows you to
allow or deny users from using their UNIX password based on certain criteria
(uid, port name, remote system name, etc).  If you fail this test, you are
REQUIRED to use an S/Key, otherwise you can use an S/Key *OR* your UNIX
password.

So far, so good.  The skey.access stuff is all working, and in fact the S/Key
password works fine.  However, I'm having problems with the interaction with
the rest of the system.  It doesn't look like there's a return code for
"AUTH_FAILED_CONTINUE_ANYWAY".

It seems like the closest thing I can get to correct is setting up both
pam_skey2 and pam_unix_auth as required.  However, that doesn't give me
the ability for S/Key to fail, but still reject the UNIX password.  It
seems like the best I can do is mark pam_skey2 as required, and have it
return PAM_SUCCESS in the event that the authentication failed, but a
UNIX password is permitted, and only return PAM_AUTH_ERR when the UNIX
password is not allowed and the skey fails.  Otherwise it would return
PAM_SUCCESS.

Oh, another question:  The FTP daemon doesn't seem to like using S/Key.
When you specify the user ID to PAM, a challenge string is sent to the
user ("s/key 81 sh84387") which allows the s/key to be generated.  However,
in an FTP session, I don't get asked for a password as normal:

Name (localhost:jafo): jafo
530-s/key 92 sy278700
530 
Login failed.
ftp> user
(username) jafo
530 Please login with USER and PASS.
Login failed.
ftp> user jafo
331 Password required for jafo.
Password: 
530 Please login with USER and PASS.
Login failed.

I'm suspecting this is a problem with the FTP daemon's implementation of
PAM.  It looks like the message that's getting sent is getting terminated
prematurely (the 530 line without a '-').  A normal login looks like this:

Name (localhost:jafo): jafo
331 Password required for jafo.
Password:

Note:  I'm using the RedHat 4.0 distribution with their PAM extensions.

Hopefully this is reasonably understandable.  It's getting a bit late.  :-)

Sean
-- 
 I'm one of the leading experts in the field of Data Mimeing.  Unfortunately,
 I'm not allowed to tell you anything about it.  -- Sean Reifschneider 
Sean Reifschneider, Inimitably Superfluous <jafo@tummy.com>
URL: <http://www.tummy.com/xvscan>  HP-UX/Linux/FreeBSD X11 scanning software.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []