PAM & several passwords

Liudvikas Bukys bukys at cs.rochester.edu
Wed Mar 14 02:50:13 EST 2001


ChallengeResponse is not enough.
The code has hard-coded assumptions about the PAM conversation.
Anything more complicated than a simple prompt for password fails.

The code needs to be re-written so that the flow of control
inside the PAM conversation function drives the authentication
protocol.  The current code keeps the flow of control in itself
and messes with temporary buffers to intereact with PAM in certain
limited ways.

I have unleashed a student here to take a look at it;
I'm hoping we can contribute something general and elegant
to the effort.  Of course, general and elegant is more work;
in the short run I wouldn't mind seeing one of the two hard-coded
TIS authsrv patches that appeared for 2.3.0 permanently incorporated.
If anyone else is doing likewise I'd like to hear from you.


----------------------------------------------------------------------
Attachment:  I have PAM set up on my Solaris machine to require
both an S/KEY (via TIS authsrv) and a reusable password.  Enclosed
is a (cleaned-up) transcript showing that rlogin/PAM can handle it
but sshd can't (doesn't even display the challenge at the appropriate
time):

----------------------------------------------------------------------
Script started on Tue Mar 13 10:37:26 2001

% rlogin localhost
Skey Challenge s/key 631 gr8490 :dish if fog grub much hull
Password: 
SUCCESS!
% logout
Connection closed.

% ssh -2 localhost
bukys at localhost's password: 
Permission denied, please try again.
bukys at localhost's password: 
Permission denied, please try again.
bukys at localhost's password: 
Skey Challenge s/key 630 gr8490 :she mess rays they bog aida
Connection closed by 127.0.0.1
% 

script done on Tue Mar 13 10:38:32 2001
----------------------------------------------------------------------





More information about the openssh-unix-dev mailing list