Why doesn't pam_set_data() work with ssh?
fender
frozenspot at gmail.com
Fri Jan 12 23:17:44 UTC 2007
Hi,
I'm developing an authentication service module for PAM. This module
sends a token to a mobile to authenticate a user.
The module prompts "Token:" and expects the user to enter the token
sended. If the token is valid, the user is authenticated. The token
expires after some seconds.
This module uses pam_set_data() function to save satus information for
next login attempts. With login application it works fine, but with
ssh application it doesn't work.
For instance, the login asks the user: the user name, password and
the token. The user enters all that. The token is saved with
pam_set_data(), so if the user enters an invalid token, the next login
attempt, the service module won't generate a new token. The user has
three opportunities before it generates a new token.
With login this works fine, but with ssh pam_set_data() it doesn't work
and I don't know the reason.
I show a bit of a log below:
(*) A correct operation with login:
1) 1st login attempt: I enter the correct password and an invalid token:
login: DEBUG: VAR_OTP isn't registered --> pam_get_data()
login: DEBUG: VAR_OTP is registered, value=8987 --> pam_set_data()
login: INFO: otp invalid.
2) 2nd login attempt: I just enter the token 8987, generated in the
fisrt login attempt (the module doesn't generate a new token):
login: DEBUG: VAR_OTP is registered --> pam_get_data()
login: DEBUG: otp was entried ok.
login: DEBUG: user passed.
(*) A bad operation with ssh:
1) 1st login attempt: I enter the correct password and an invalid token:
ssh: DEBUG: VAR_OTP isn't registered --> pam_get_data()
ssh: DEBUG: VAR_OTP is registered, value=4506 --> pam_set_data()
ssh: INFO: otp invalid.
2) 2nd login attempt: I should enter only the token 4506 (the
module shouldn't generate a new token):
ssh: DEBUG: VAR_OTP isn't registered --> pam_get_data()
ssh: DEBUG: VAR_OTP is registered, value=2482 --> pam_set_data()
ssh: DEBUG: otp was entried ok.
ssh: DEBUG: user passed.
Any comment or suggestion is wellcomed.
Thanks in advance.
--
Federico
More information about the Pam-list
mailing list