SSHD doesn't allow PAM module to use it's own prompt for password

b.hines at comcast.net b.hines at comcast.net
Fri Apr 28 13:09:08 UTC 2006 

Give this link a read it may help.

http://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswords

Bob

-------------- Original message -------------- 
From: Darren Tucker <dtucker at zip.com.au> 

> On Thu, Apr 27, 2006 at 12:17:21PM -0700, Kent Wu wrote: 
> > Hi guys, 
> > 
> > I'm trying to write up my own PAM module to authenticate users 
> > coming in from ssh channel. This module was working pretty well until 
> > lately I wanted to enhance it a bit. 
> > 
> > What I tried to achieve is that when the system is in a bad 
> > state (detected by my PAM module), I want to prompt the user for a 
> > special pre-defined password for recovery purpose; the prompt I wanted 
> > is like "system is unstable, pls provide recovery password:". I passed 
> > this message through the pam_conv structure which I got by calling: 
> > 
> > pam_get_item(pamh, PAM_CONV, &void_conv); 
> > 
> > However this prompt never got showed up in my log-in screen. Here I 
> > specified the msg_stype as either PAM_PROMPT_ECHO_OFF or 
> > PAM_PROMPT_ECHO_ON however none of this works. 
> > 
> > So I'm thinking even though PAM has defined this conversation structure 
> > however looks like SSHD doesn't really honor it well enough. Am I 
> > missing something here or is there a workaround for me to achieve what I 
> > want? 
> 
> Which ssh server software and version are you running? 
> 
> If it's OpenSSH, you need to be using keyboard-interactive authentication 
> in sshd for this soft of thing to work. Make sure it's enabled in the 
> server's sshd_config ("ChallengeResponseAuthentication yes") then try 
> "ssh -o preferredauthentications=keyboard-interactive yourserver". 
> If that doesn't work then it's probably a bug somewhere, possibly in sshd. 
> 
> In SSH in general, basic password authentication within the protocol 
> doesn't provide enough flexibility to do what you want. (It's possible 
> for sshd to hack around some of the limites by using things like SSHv2 
> banner packets, which OpenSSH's sshd does for some things.) 
> 
> -- 
> Darren Tucker (dtucker at zip.com.au) 
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 
> Good judgement comes with experience. Unfortunately, the experience 
> usually comes from bad judgement. 
> 
> _______________________________________________ 
> Pam-list mailing list 
> Pam-list at redhat.com 
> https://www.redhat.com/mailman/listinfo/pam-list 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060428/35169881/attachment.htm>

More information about the Pam-list mailing list