keyboard-interactive
Damien Miller
djm at mindrot.org
Tue Jan 8 15:29:36 EST 2002
On Tue, 2002-01-08 at 10:48, Mark D. Roth wrote:
> The PAM module itself can't force a particular SSH auth method, but
> you can set this up in the sshd_config file by enabling
> ChallengeResponseAuthentication and disabling all the other auth
> methods. To get ChallengeResponseAuthentication to use PAM, you also
> need to enable PAMAuthenticationViaKbdInt.
I have been wanting to rewrite the PAM kbd-interactive support for a
while now, but have hit a brick wall with the PAM api.
The PAM API wants to ask all the questions and gather all the responses
in a single conversation function. This doesn't work well with the SSH
protocol, where userauth messages can arrive in any order.
The current kbd-int PAM support assumes that it can get a response
immediately and somewhat abuses the dispatch API to get at it. It
probably isn't robust in the face of clients who send requests in a
funny order.
If any PAM experts can offer a solution to this, it would be greatly
appreciated.
What I would really like to see in PAM is the ability call to a function
to collect the auth queries and another to send the responses at a time
of my choosing.
-d
More information about the openssh-unix-dev
mailing list