PAM & several passwords

Stefan Neis neis at
Tue Mar 13 22:43:14 EST 2001

Damien Miller wrote:
> On Mon, 12 Mar 2001, Stefan Neis wrote:
> > J.S.Peatfield at wrote:
> > >
> > > Surely this would be handled by the pam code already
> > > wouldn't it?  Assuming that there are several modules
> > > all required and they each can ask the user  for some
> > > auth token...  (not that I've actually tried it of course).
> >
> > The point is that PAM is relying on the application's
> > "conversation function" to obtain passwords/auth tokens.
> > And sshd's conversation function just fills the one and only
> > password I entered into the reply slot and returns without
> > giving me any chance to do something different...
> Use SSH2 protocol and ChallengeResponseAuthentication.

Sorry, I'm lost. :-( I just upgraded to the most recent
openssh, but I have still no idea how to make use of the 
ChallengeResponseAuthentication option. AFAICS, it's
enabled by default, so what's next? My PAM module asking
for the one-time password still gets the static password.
Would I need to use 'configure --with-skey', although
that is only complaining about missing headers?


More information about the openssh-unix-dev mailing list