keyboard-interactive

Frank Cusack fcusack at fcusack.com
Wed Jan 9 00:19:13 EST 2002


On Tue, Jan 08, 2002 at 03:29:36PM +1100, Damien Miller wrote:
> The PAM API wants to ask all the questions and gather all the responses
> in a single conversation function. This doesn't work well with the SSH
> protocol, where userauth messages can arrive in any order. 
> 
> The current kbd-int PAM support assumes that it can get a response
> immediately and somewhat abuses the dispatch API to get at it. It
> probably isn't robust in the face of clients who send requests in a
> funny order.

Do you have any example of a client that actually does this?

> If any PAM experts can offer a solution to this, it would be greatly
> appreciated.
> 
> What I would really like to see in PAM is the ability call to a function
> to collect the auth queries and another to send the responses at a time
> of my choosing.

Eek.  I don't believe that's possible (or at best, more difficult than
it's worth).  But I may not quite understand exactly what you want to do.  

The conversation (ie, pam_conv()) needs to complete (fill in all responses)
before returning.  So in order to do things "asynchronously", you'd pretty
much need to stash "control data" in appdata_ptr (or use global data), and
call out to other sshd code in the conversation function.  You'd be
running a mini-sshd within the conversation function.  It seems unlikely
to me this is really doable, however my knowledge of the code isn't that
great.

This might be more doable if sshd were multithreaded, but PAM isn't really
compatible with threaded apps, so sshd would have to both be fork()/exec()
and multithreaded.  This is almost certainly not worth it.

/fc




More information about the openssh-unix-dev mailing list