keyboard-interactive
Markus Friedl
markus at openbsd.org
Thu Jan 10 09:21:06 EST 2002
On Tue, Jan 08, 2002 at 05:19:13AM -0800, Frank Cusack wrote:
> On Tue, Jan 08, 2002 at 03:29:36PM +1100, Damien Miller wrote:
> > The PAM API wants to ask all the questions and gather all the responses
> > in a single conversation function. This doesn't work well with the SSH
> > protocol, where userauth messages can arrive in any order.
> >
> > The current kbd-int PAM support assumes that it can get a response
> > immediately and somewhat abuses the dispatch API to get at it. It
> > probably isn't robust in the face of clients who send requests in a
> > funny order.
>
> Do you have any example of a client that actually does this?
I don't know.
currently openssh works like this:
there is a mainloop that dispatches the packets and calls different
functions depending on the message type.
so when sshd receives a REQUEST message the mainloop calls
input_userauth_request()
input_userauth_request() needs to parse the REQUEST message and
(for kbd-interactive) contruct a INFO_REQUEST message by calling
some PAM API and return the control to the mainloop.
now the client can send _any_ packet, e.g. a KEXINIT
for rekeying or a new REQUEST message for a different
authentication method (e.g. pubkey).
if the client sends the INFO_RESPONSE then input_userauth_info_response()
needs to verify the reponse.
More information about the openssh-unix-dev
mailing list