keyboard-interactive
Nicolas Williams
Nicolas.Williams at ubsw.com
Wed Jan 9 02:33:07 EST 2002
On Tue, Jan 08, 2002 at 03:29:36PM +1100, Damien Miller wrote:
> On Tue, 2002-01-08 at 10:48, Mark D. Roth wrote:
> > The PAM module itself can't force a particular SSH auth method, but
> > you can set this up in the sshd_config file by enabling
> > ChallengeResponseAuthentication and disabling all the other auth
> > methods. To get ChallengeResponseAuthentication to use PAM, you also
> > need to enable PAMAuthenticationViaKbdInt.
>
> I have been wanting to rewrite the PAM kbd-interactive support for a
> while now, but have hit a brick wall with the PAM api.
>
> The PAM API wants to ask all the questions and gather all the responses
> in a single conversation function. This doesn't work well with the SSH
> protocol, where userauth messages can arrive in any order.
>
> The current kbd-int PAM support assumes that it can get a response
> immediately and somewhat abuses the dispatch API to get at it. It
> probably isn't robust in the face of clients who send requests in a
> funny order.
>
> If any PAM experts can offer a solution to this, it would be greatly
> appreciated.
>
> What I would really like to see in PAM is the ability call to a function
> to collect the auth queries and another to send the responses at a time
> of my choosing.
PAM doesn't allow this at all, though Linux-PAM, at least, allows the
conversation function to return, I think, PAM_CONV_AGAIN/PAM_INCOMPLETE,
which modules can take as a cue to return the same to libpam which
then marks the place in the PAM stack where this happened and returns
the same error to the application, which can then restart the PAM call
in question and which libpam will restart where it had stopped, rather
than from the beginning.
Part of the problem is that a module might have more questions to ask
given the answers to previous questions. Any system like PAM, with
pluggable modules, will be potentially too dynamic to be used the way
you want ("ask all your questions now, I'll answer them later").
> -d
>
Cheers,
Nico
--
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-
Visit our website at http://www.ubswarburg.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
More information about the openssh-unix-dev
mailing list