New PAM kbd-int code

Darren Tucker dtucker at zip.com.au
Thu Jan 23 19:08:28 EST 2003 

Damien Miller wrote:
> http://www.mindrot.org/~djm/openssh/openssh-newpam-20030123.tar.gz
> Is a snapshot of the new PAM-via-KbdInt authentication support from
> FreeBSD's OpenSSH tree.

I've just caught up with the regress/ update from yesterday [1].  I've
also added PAM configurations to the tinderbox [2].

The patch applies cleanly to the snapshot, so if you're game you can run
the regression suite as follows:

$ cd openssh-newpam-20030123
$  patch -p0 <openssh-regressport2.patch
$ ./configure --with-pam && make regress

If your platform needs root for PAM operations, you'll need "SUDO=sudo
make regress".

> Please test this now. I can only surmise by the silence that has greeted
> my previous requests for testing that the code works perfectly.

Wow, that's, err, optimistic :-)

FWIW, I get the following results:

Redhat 8.0:
* can log in via keyboard-interactive
* passes regression tests
* CHANGE_EXPIRED_AUTHTOK doesn't seem to work with or w/out privsep.
W/out privsep, sshd gives:
Postponed keyboard-interactive for testuser from 192.168.1.1 port 2068
ssh2
debug2: PAM: sshpam_respond
debug3: ssh_msg_send: type 6
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 3
debug3: ssh_msg_send: type 7
debug3: ssh_msg_recv entering
PAM: Authentication token is no longer valid; new one required.
debug2: auth2_challenge_start: devices <empty>
Failed keyboard-interactive/pam for testuser from 192.168.1.1 port 2068
ssh2
debug1: userauth-request for user testuser service ssh-connection method
keyboard-interactive
debug1: attempt 7 failures 7

HP-UX 11.00:
* sshd core dumps on login [3]

Solaris 8:
* can log in via keyboard-interactive
* passes regression tests
* CHANGE_EXPIRED_AUTHTOK doesn't seem to work (same messages as redhat)

Refs.
[1]
http://www.zip.com.au/~dtucker/openssh/regress/openssh-regressport2.patch
[2] http://dodgynet.dyndns.org/tinderbox/OpenSSH_Portable/status.html
[3]
http://www.zip.com.au/~dtucker/openssh/regress/hpux11-newpam-sshd.log

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list