New PAM kbd-int code
Darren Tucker
dtucker at zip.com.au
Thu Jan 23 19:08:28 EST 2003
Damien Miller wrote:
> http://www.mindrot.org/~djm/openssh/openssh-newpam-20030123.tar.gz
> Is a snapshot of the new PAM-via-KbdInt authentication support from
> FreeBSD's OpenSSH tree.
I've just caught up with the regress/ update from yesterday [1]. I've
also added PAM configurations to the tinderbox [2].
The patch applies cleanly to the snapshot, so if you're game you can run
the regression suite as follows:
$ cd openssh-newpam-20030123
$ patch -p0 <openssh-regressport2.patch
$ ./configure --with-pam && make regress
If your platform needs root for PAM operations, you'll need "SUDO=sudo
make regress".
> Please test this now. I can only surmise by the silence that has greeted
> my previous requests for testing that the code works perfectly.
Wow, that's, err, optimistic :-)
FWIW, I get the following results:
Redhat 8.0:
* can log in via keyboard-interactive
* passes regression tests
* CHANGE_EXPIRED_AUTHTOK doesn't seem to work with or w/out privsep.
W/out privsep, sshd gives:
Postponed keyboard-interactive for testuser from 192.168.1.1 port 2068
ssh2
debug2: PAM: sshpam_respond
debug3: ssh_msg_send: type 6
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 3
debug3: ssh_msg_send: type 7
debug3: ssh_msg_recv entering
PAM: Authentication token is no longer valid; new one required.
debug2: auth2_challenge_start: devices <empty>
Failed keyboard-interactive/pam for testuser from 192.168.1.1 port 2068
ssh2
debug1: userauth-request for user testuser service ssh-connection method
keyboard-interactive
debug1: attempt 7 failures 7
HP-UX 11.00:
* sshd core dumps on login [3]
Solaris 8:
* can log in via keyboard-interactive
* passes regression tests
* CHANGE_EXPIRED_AUTHTOK doesn't seem to work (same messages as redhat)
Refs.
[1]
http://www.zip.com.au/~dtucker/openssh/regress/openssh-regressport2.patch
[2] http://dodgynet.dyndns.org/tinderbox/OpenSSH_Portable/status.html
[3]
http://www.zip.com.au/~dtucker/openssh/regress/hpux11-newpam-sshd.log
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list