[Bug 3736] New: sshd falls back to password prompt after PAM module returns a PAM_MAXTRIES.

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Sep 17 23:18:13 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3736

            Bug ID: 3736
           Summary: sshd falls back to password prompt after PAM module
                    returns a PAM_MAXTRIES.
           Product: Portable OpenSSH
           Version: 9.8p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: thibault.delmas at lxp.lu

It is more a question about if it is an intended behavior or not.

Overview:

I am working on a PAM module where I either allow a user to provide us
with an OTP code or if his account doesn't have one, I print the link
to set it up and stop the authentication. When a user doesn't have OTP
enabled, ssh prints 3 times the link because the user has 3 tries on
the sshd side of things. To prevent that I tried to use the
PAM_MAXTRIES return code in my PAM module. Instead of honoring the max
tries and stopping the connection attempt, sshd falls back to a
password prompt.

Steps to Reproduce:

For the purpose of the ticket I went and downloaded the latest 9.8p1
openssh portable and compiled it with:

configure --prefix=/opt --sysconfdir=/etc/ssh-portable --with-pam

This minimum setup to reproduce are these config files for sshd_config
and pam.d/sshd:

# /opt/sbin/sshd -V
OpenSSH_9.8p1, OpenSSL 3.0.7 1 Nov 2022

# grep -v '#' /etc/ssh-portable/sshd_config | grep -v -e '^$'
KbdInteractiveAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive:pam
UsePAM yes
SyslogFacility AUTHPRIV
LogLevel DEBUG
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# grep -v '#' /etc/pam.d/sshd | grep -v -e '^$'
auth required pam_module.so

Running on rocky94.

The pam module, compiled with gcc -shared -o pam_module.so min.c -lpam,
and put in /usr/lib64/security/pam_module.so:

cat min.c
#include <security/pam_misc.h>
#include <security/pam_ext.h>
#include <security/pam_modules.h>

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int
argc, const char **argv)
{
        return PAM_MAXTRIES;
}

PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
    return PAM_SUCCESS;
}

Expected behavior:

ssh connection attempt should instantly terminates instead of asking
for a password prompt.

Current behavior:

ssh tdelmas at test-vm
tdelmas at test-vm's password: 
Permission denied, please try again.
tdelmas at test-vm's password: 
Permission denied, please try again.
tdelmas at test-vm's password: 
tdelmas at test-vm: Permission denied ().


Is there a way for me to achieve my intended behavior? Am I wrong to
assume sshd would "honor" the PAM_MAXTRIES with my current
configuration?

Thanks in advance for your feedback, hopefully posting at the right
spot.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list