[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Decoupling PAM prompts from responses

Damien Miller wrote:
> Hi,
> Is it possible to decouple the collection of prompts from the response
> to them? It seems that you have to do both at once in the conversation
> function.
> I want to be able to grab the prompts and then respond to them with a
> seperate call.

The pam itself isn't asyncronous -- it asks for a question and expects
to see an answer on return.

> Why? I am rewriting OpenSSH's PAM keyboard interactive auth method
> to integrate better (currently it abuses the protocol a bit :). Auth
> requests and responses can come asynchronously, and we use a callback
> architecture to process them when they arrive. I can't make this fit
> with the conversation function's need to deliver the prompts and expect
> the replies within the same function.
> Any help would be appreciated.

What you ask will be non-trivial task if at all possible.  Strictly
speaking it is not possible, but let's draw a picture first.  A pam
module calls a user callback, expecting an answer to be filled up
or an error to be returned.  One of return code can be PAM_CONV_AGAIN.
After this return, a module should return PAM_INCOMPLETE to the caller,
and a caller should enshure conversation is ready and call the pam
routine (e.g. pam_autenticate) again.  Looks like just what you want.
But there are two problems.

First of all, not all modules are ready to handle PAM_CONV_AGAIN
properly (some of them will return some sort of generic error to the
caller, e.g. PAM_AUTH_ERR).  Those are bugs but it is difficult to fix
them.  (I looked to pam sources last time about a year ago, so things
might be changed, but I doubt them was).

And second, even if you do what this looks like a way to go, things
will not work.  There will be no mapping between old and new prompts
and responses.  Even if you'll collect both, there will be no way
to fill up answers to old questions into new questions.  Moreover,
there is no guarantee that new prompts will be the same!  Currently,
with commonly used modules, you will get the same prompts with the
same sequence next time.  But nothing stops to have a module that
will ask another questions.

The only way to go IMHO is to define some structure to track down
answers and fill in pam request structure, call the pam routine,
turn on a global flag (we're inside a pam call) in order to avoid
nesting calls, and then from a callback continue async send/receive,
one-at-a-time, until all the answers will be filled in or an error/abort
will be seen, and when return.  This looks somewhat ugly, but I see
no other way to do this.  Having a good async routine set, this will
be more-or-less clean.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []