i think this is great

Steve VanDevender stevev at darkwing.uoregon.edu
Tue Sep 26 07:06:18 EST 2000


Damien Miller writes:
 > On Fri, 22 Sep 2000, David Berk wrote:
 > 
 > > I have tried ( to no avail ) to get SecurID and ssh work tegether.
 > > The biggest sticking points have been either new pin / next token
 > > mode OR scp.  I would be interested in looking at your patch.  I
 > > have been banging on auth-pam.c to work in the pam stuff for
 > > the last couple days, but it seems auth-pam is an incomplete
 > > implementation of pam.  The patch from Steve VanDevender looked
 > > promising.
 > 
 > Have you tried the snapshot? Steve's patch is integrated.

I know that my patch was intended to address only the situation where
pam_acct_mgmt() returns PAM_NEW_AUTHTOK_REQD, indicating that
pam_chauthtok() should be called to change an expired password.  I don't
know for sure how that would address SecurID or other one-time password
systems handled in PAM.  I don't think it will actually help
one-time password challenge-response authentication.

The situation I encountered in trying to get pam_chauthtok() to work is
that much of the PAM authentication is done before the user's pty is set
up, and therefore the usual approach of calling pam_chauthtok()
immediately after pam_acct_mgmt() didn't work; PAM is assuming it can
conduct a conversation on the user's terminal at that point.  The
original PAM conversation function just stuffed the user's password into
PAM when pam_authenticate() was called, and failed for other PAM
functions that wanted to converse with the user.  I simply deferred
calling pam_chauthtok() until the user's pty is set up for an
interactive session, and extended the conversation function to support
user interaction on a pty.  Unfortunately this means that a
noninteractive session still doesn't result in a required password
change.  It also means that any authentication method that requires
displaying a challenge to a user and obtaining an interactive response
during pam_authenticate() is still likely to be broken.

While looking for information on PAM problems or patches relating to
Portable OpenSSH, I came across this previous posting to
openssh-unix-dev:

http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=96831742624299&w=2

The patch is against OpenSSH 1.2.3, but looks like a much more thorough
implementation of PAM support.  I haven't tried integrating this into
OpenSSH 2.2.0, however.  The interesting thing about this patch is that
it appears to try to support user dialogue by exchanging messages
between the server and client via the SSH protocol, so it could work for
noninteractive sessions and engage in user interaction before a session
pty has been set up.





More information about the openssh-unix-dev mailing list