SSHD doesn't allow PAM module to use it's own prompt forpassword
Kent Wu
kwu at xsigo.com
Thu Apr 27 21:37:41 UTC 2006
Hi Darren,
I'm using OpenSSH and you're right, after enabling
ChallengeResponseAuthentication in sshd_config then its working.
Thanks!!
BTW, I don't see any security holes by enabling
ChallengeResponseAuthentication, please let me know if you think
otherwise.
-Kent
-----Original Message-----
From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com]
On Behalf Of Darren Tucker
Sent: Thursday, April 27, 2006 2:20 PM
To: Pluggable Authentication Modules
Subject: Re: SSHD doesn't allow PAM module to use it's own prompt
forpassword
On Thu, Apr 27, 2006 at 12:17:21PM -0700, Kent Wu wrote:
> Hi guys,
>
> I'm trying to write up my own PAM module to authenticate users
> coming in from ssh channel. This module was working pretty well until
> lately I wanted to enhance it a bit.
>
> What I tried to achieve is that when the system is in a bad
> state (detected by my PAM module), I want to prompt the user for a
> special pre-defined password for recovery purpose; the prompt I wanted
> is like "system is unstable, pls provide recovery password:". I passed
> this message through the pam_conv structure which I got by calling:
>
> pam_get_item(pamh, PAM_CONV, &void_conv);
>
> However this prompt never got showed up in my log-in screen. Here I
> specified the msg_stype as either PAM_PROMPT_ECHO_OFF or
> PAM_PROMPT_ECHO_ON however none of this works.
>
> So I'm thinking even though PAM has defined this conversation
structure
> however looks like SSHD doesn't really honor it well enough. Am I
> missing something here or is there a workaround for me to achieve what
I
> want?
Which ssh server software and version are you running?
If it's OpenSSH, you need to be using keyboard-interactive
authentication
in sshd for this soft of thing to work. Make sure it's enabled in the
server's sshd_config ("ChallengeResponseAuthentication yes") then try
"ssh -o preferredauthentications=keyboard-interactive yourserver".
If that doesn't work then it's probably a bug somewhere, possibly in
sshd.
In SSH in general, basic password authentication within the protocol
doesn't provide enough flexibility to do what you want. (It's possible
for sshd to hack around some of the limites by using things like SSHv2
banner packets, which OpenSSH's sshd does for some things.)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list