keyboard-interactive

Damien Miller djm at mindrot.org
Tue Jan 8 15:29:36 EST 2002


On Tue, 2002-01-08 at 10:48, Mark D. Roth wrote:
> The PAM module itself can't force a particular SSH auth method, but
> you can set this up in the sshd_config file by enabling
> ChallengeResponseAuthentication and disabling all the other auth
> methods.  To get ChallengeResponseAuthentication to use PAM, you also
> need to enable PAMAuthenticationViaKbdInt.

I have been wanting to rewrite the PAM kbd-interactive support for a
while now, but have hit a brick wall with the PAM api.

The PAM API wants to ask all the questions and gather all the responses
in a single conversation function. This doesn't work well with the SSH
protocol, where userauth messages can arrive in any order. 

The current kbd-int PAM support assumes that it can get a response
immediately and somewhat abuses the dispatch API to get at it. It
probably isn't robust in the face of clients who send requests in a
funny order.

If any PAM experts can offer a solution to this, it would be greatly
appreciated.

What I would really like to see in PAM is the ability call to a function
to collect the auth queries and another to send the responses at a time
of my choosing.

-d





More information about the openssh-unix-dev mailing list