Why doesn't pam_prompt() function work with ssh?
Darren Tucker
dtucker at zip.com.au
Mon Dec 4 20:29:25 UTC 2006
federikkom wrote:
> I'm developing an authentication service module for PAM.
> This module sends a token to a mobile to authenticate a
> user.
>
> The module prompts "Token:" and expects the user to enter
> the token sended. If the token is valid, the user is
> authenticated. The token expires after some seconds.
>
> With login and su application it works fine, but with ssh
> it doesn't work. However, ssh is compiled and configured
> with PAM.
Which SSH server software and version are you using? The config looks
like OpenSSH and the remainder of this message assumes that it is.
[...]
> When you use the login application to enter to the system,
> you can see this:
>
> loing: user
> password:
> Token:
>
> If the user puts the correct data, it is authenticated.
>
> With login application works the same way:
>
> $ su user
> password:
> Token:
>
> But with ssh I haven't been able to prompt the word
> "Token:" to get the string that the user writes. I'm using
> the pam_prompt() function to display it.
What you're trying to do should work with SSH protocol 2 and
keyboard-interactive authentication.
> root at gasherbrum:~# ssh -c 3des root at manaslu
> root at manaslu's password:
> Permission denied, please try again.
> root at manaslu's password:
That prompt looks like sshd's PasswordAuthentication is still enabled.
Did you restart sshd after changing its config? You can force the
client to use kbdint with:
$ ssh -2 -o preferredauthentications=keyboard-interactive yourserver
> After I enter the correct password it asks me again to
> enter the password, instead of displaying "Token:".
Also, in OpenSSH "-c 3des" is a cipher option for SSH protocol 1.
The SSHv1 protocol allows for only a single challenge and response per
auth attempt, so what you're trying to do won't work with it (and can't
without some serious hackery on the sshd side, such as maintaining PAM
state between auth attempts).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the Pam-list
mailing list