AIX authenticate()

Ben Lindstrom mouring at etoh.eviladmin.org
Thu Aug 15 00:01:33 EST 2002


No definately looks like the wrong solution.  authenticate() reminds me a
lot of bsd_auth and pam.  To handle correctly, I suspec you need to handle
the conversation correctly.  Not just blindly repeat the same answer over
and over.

But someone at IBM is going to have to take gander at it in the short
term.

Would be nice for a simple example of how it breaks, and a proposed fixed.
Something that I can mimic with one AIX box and a few other misc UNIXes
(Linux, Solaris, NeXT .. maybe OpenBSD).

- Ben


On Wed, 14 Aug 2002, Jan-Frode Myklebust wrote:

> On Mon, Aug 12, 2002 at 01:27:07PM -0500, Ben Lindstrom wrote:
> >
> > >
> > > 	SYSTEM = "NIS and DCE"
> > >
> > > Suggested (untested) patch should look like:
> > >
> >
> > How does this affect OpenSSH?  What can I do to mimic this on my AIX box?
> >
>
> I'm not sure, but it sounds like in this example either:
>
> 	1. Authentication can fail on NIS, and then try DCE
>
> or
>
> 	2. Both NIS and DCE authentication is required before
> 	   authenticate() succeeds.
>
> I don't have any nodes with NIS and/or DCE to test on.
>
> Anyway, here's the man-page for AIX authenticate():
>
> 	http://usgibm.nersc.gov/usr/share/man/info/en_US/a_doc_lib/libs/basetrf1/authenticate.htm
>
> "
>   The calling program makes no assumptions about the
>   number of prompt messages the user must satisfy for authentication.
>
>   The Reenter parameter remains a nonzero value until the user satisfies
>   all prompt messages or answers incorrectly. Once the Reenter
>   parameter is zero, the return code signals whether authentication
>   passed or failed.
> "
>
>
>
>   -jf
>




More information about the openssh-unix-dev mailing list