[Bug 2876] PAM_TEXT_INFO and PAM_ERROR_MSG conversation not honoured during PAM authentication

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Aug 2 07:28:32 AEST 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=2876

James Ralston <ralston at pobox.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ralston at pobox.com

--- Comment #10 from James Ralston <ralston at pobox.com> ---
Hi Damien. Is there any way we could assist with the effort here?

MFA logins (e.g., Duo) are becoming more and more ubiquitous. When MFA
is in play, it can be pretty important that PAM_TEXT_INFO messages are
pushed immediately, instead of being collected until the next
PAM_PROMPT_ECHO_[ON|OFF] response.

E.g., the PAM_TEXT_INFO message could be this:

"Hey, we just auto-pushed an auth request to your mobile device, so if
it looks like your login session just hung, maybe go grab your phone
and approve the request? Or just sit there staring dumbly at the screen
for 90 seconds until the push request times out. Your call."

I get why the /* accumulate messages */ logic was the case historically
(because SSH protocol version 1 was teh suck), but now that SSHv1 is
(deservedly) dead, it would be great to address this for SSHv2
keyboard-interactive auth.

If there's a concern about potentially breaking other ssh clients (e.g.
comment 8), perhaps the "push PAM_TEXT_INFO messages immediately"
behavior could be toggled by an option? E.g.,
PAMImmmediateNotifications?

If you can come up with a tentative patch, we'd be happy to help test
it, against multiple different ssh clients we have here (OpenSSH,
Putty, et. al.)

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list