Why doesn't pam_set_data() work with ssh?

fender frozenspot at gmail.com
Fri Jan 12 23:17:44 UTC 2007 

Hi,

I'm developing an authentication service module for PAM. This module
sends a token to a mobile to authenticate a user.

The module prompts "Token:" and expects the user to enter the token
sended. If the token is valid, the user is authenticated. The token
expires after some seconds.

This module uses pam_set_data() function to save satus information for
next login attempts. With login application it works fine, but with
ssh application it doesn't work.

For instance, the login asks the user: the user name, password and
the token. The user enters all that. The token is saved with
pam_set_data(), so if the user enters an invalid token, the next login
attempt, the service module won't generate a new token. The user has
three opportunities before it generates a new token.

With login this works fine, but with ssh pam_set_data() it doesn't work
and I don't know the reason.

I show a bit of a log below:


(*) A correct operation with login:

1) 1st login attempt:  I enter the correct password and an invalid token:

login: DEBUG: VAR_OTP isn't registered                  --> pam_get_data()
login: DEBUG: VAR_OTP is registered, value=8987 --> pam_set_data()
login: INFO: otp invalid.

2) 2nd login attempt:  I just enter the token 8987, generated in the
fisrt login attempt (the module doesn't generate a new token):

login: DEBUG: VAR_OTP is registered                      --> pam_get_data()
login: DEBUG: otp was entried ok.
login: DEBUG: user passed.


(*) A bad operation with ssh:

1) 1st login attempt:  I enter the correct password and an invalid token:

ssh: DEBUG: VAR_OTP isn't registered                    --> pam_get_data()
ssh: DEBUG: VAR_OTP is registered, value=4506   --> pam_set_data()
ssh: INFO: otp invalid.

2) 2nd login attempt:  I should enter only the token 4506 (the
module shouldn't generate a new token):

ssh: DEBUG: VAR_OTP isn't registered                    --> pam_get_data()
ssh: DEBUG: VAR_OTP is registered, value=2482   --> pam_set_data()
ssh: DEBUG: otp was entried ok.
ssh: DEBUG: user passed.


Any comment or suggestion is wellcomed.
Thanks in advance.

--
Federico

More information about the Pam-list mailing list