[Bug 423] Workaround for pw change in privsep mode (3.5.p1)

Mon Nov 11 01:13:53 EST 2002

Frank Cusack wrote:
> On Fri, Nov 08, 2002 at 11:00:05AM +0100, Michael Steffens wrote:
> 
>>Darren Tucker wrote:
>>
>>>Michael Steffens wrote:
>>>
>>>
>>>>And, if the PAM stack for sshd is really configured to prompt for
>>>>multiple different passwords, authentication will always fail...
>>>
>>>
>>>So by rights, PAM authentication should always be done via
>>>keyboard-interactive? If you do that, you can throw the pam_chauthok
>>>stuff in there too?
>>>
>>
>>Yes and no :)
> 
> 
> Just yes, really.  The PAM framework demands the type of exchange that
> only keyboard-interactive offers.  The way the "password" authentication
> method interacts with PAM is a kludge.
> 
> 
>>If keyboard-interactive would work in privsep mode (it doesn't, at
>>least for me)
> 
> 
> It does not because PAM in general requires root privs

I remember vaguely that PAM itself doesn't require root privileges,
despite in real life it actually often does, for a subset of
functions, where the modules are implemented to access secret
information directly. Like pam_authenticate() reading in a
shadow database. So for being sure that it actually works
you are right. :)

> and in privsep
> mode the PAM code runs in the unpriv part.  The correct fix IMHO is
> to move the PAM code into the priv part.  I don't know if this is
> feasible, but from a security standpoint should be pretty good.  The
> PAM code is a small part to look at and any bugs are going to be in
> the PAM libs, not openssh.
> 
>>and if it would be also available for protocol 1, which it isn't,
> 
> 
> Not so fast there. :-)  Look in the bugs db for a TISviaPAM patch.  This
> uses the ssh1 TIS auth method to do the same thing that kbdint does.

Here I'm confused. Assuming that you mean

  http://bugzilla.mindrot.org/show_bug.cgi?id=118

and that it does challenge/response authentication, can it
replace the password authentication part?