SSHD doesn't allow PAM module to use it's own prompt for password
b.hines at comcast.net
b.hines at comcast.net
Fri Apr 28 13:09:08 UTC 2006
Give this link a read it may help.
http://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswords
Bob
-------------- Original message --------------
From: Darren Tucker <dtucker at zip.com.au>
> On Thu, Apr 27, 2006 at 12:17:21PM -0700, Kent Wu wrote:
> > Hi guys,
> >
> > I'm trying to write up my own PAM module to authenticate users
> > coming in from ssh channel. This module was working pretty well until
> > lately I wanted to enhance it a bit.
> >
> > What I tried to achieve is that when the system is in a bad
> > state (detected by my PAM module), I want to prompt the user for a
> > special pre-defined password for recovery purpose; the prompt I wanted
> > is like "system is unstable, pls provide recovery password:". I passed
> > this message through the pam_conv structure which I got by calling:
> >
> > pam_get_item(pamh, PAM_CONV, &void_conv);
> >
> > However this prompt never got showed up in my log-in screen. Here I
> > specified the msg_stype as either PAM_PROMPT_ECHO_OFF or
> > PAM_PROMPT_ECHO_ON however none of this works.
> >
> > So I'm thinking even though PAM has defined this conversation structure
> > however looks like SSHD doesn't really honor it well enough. Am I
> > missing something here or is there a workaround for me to achieve what I
> > want?
>
> Which ssh server software and version are you running?
>
> If it's OpenSSH, you need to be using keyboard-interactive authentication
> in sshd for this soft of thing to work. Make sure it's enabled in the
> server's sshd_config ("ChallengeResponseAuthentication yes") then try
> "ssh -o preferredauthentications=keyboard-interactive yourserver".
> If that doesn't work then it's probably a bug somewhere, possibly in sshd.
>
> In SSH in general, basic password authentication within the protocol
> doesn't provide enough flexibility to do what you want. (It's possible
> for sshd to hack around some of the limites by using things like SSHv2
> banner packets, which OpenSSH's sshd does for some things.)
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060428/35169881/attachment.htm>
More information about the Pam-list
mailing list