[Bug 1681] conversation function for passwd auth method assumes instead of fail

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Dec 4 03:27:13 EST 2009


https://bugzilla.mindrot.org/show_bug.cgi?id=1681

--- Comment #4 from Tomas Mraz <t8m at centrum.cz> 2009-12-04 03:27:12 EST ---
Maybe the standard says that however I am just saying what current and
all previous Linux-PAM versions did - they do not allow neither to get
nor set the PAM_AUTHTOK item from application.

Maybe the setting PAM_AUTHTOK item from application should be allowed
in the future Linux-PAM versions however I do not think openssh can
depend on having the PAM_AUTHTOK available to the application.

Also not supporting the current way how the openssh password
authentication is implemented with PAM means that current PAM setups
might not work anymore - PAM modules for example might require
try_first_pass option to consult the PAM_AUTHTOK item at all before
calling the conversation function.

In fact the "assume that echo-off prompts are for the authtok" worked
fine in most of the PAM configurations and in the remaining special
cases the sshd should have been configured to use keyboard-interactive
authentication instead of password authentication.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list