PAM & several passwords
Stefan Neis
neis at kobil.de
Tue Mar 13 22:43:14 EST 2001
Damien Miller wrote:
>
> On Mon, 12 Mar 2001, Stefan Neis wrote:
>
> > J.S.Peatfield at damtp.cam.ac.uk wrote:
> > >
> > > Surely this would be handled by the pam code already
> > > wouldn't it? Assuming that there are several modules
> > > all required and they each can ask the user for some
> > > auth token... (not that I've actually tried it of course).
> >
> > The point is that PAM is relying on the application's
> > "conversation function" to obtain passwords/auth tokens.
> > And sshd's conversation function just fills the one and only
> > password I entered into the reply slot and returns without
> > giving me any chance to do something different...
>
> Use SSH2 protocol and ChallengeResponseAuthentication.
Sorry, I'm lost. :-( I just upgraded to the most recent
openssh, but I have still no idea how to make use of the
ChallengeResponseAuthentication option. AFAICS, it's
enabled by default, so what's next? My PAM module asking
for the one-time password still gets the static password.
Would I need to use 'configure --with-skey', although
that is only complaining about missing headers?
Regards,
Stefan
More information about the openssh-unix-dev
mailing list