OpenSSH 3.7.1 compatibility problems on Linux

Dag-Erling Smørgrav des at des.no
Sat Sep 20 05:39:00 EST 2003


James Bourne <jbourne at hardrock.org> writes:
> On Fri, 19 Sep 2003, Dag-Erling Smørgrav wrote:
> > Then turn PAM off and stop whining.  The only way to implement PAM
> > authentication in ssh1 is to abuse the TIS authentication protocol, so
> A little difficult when the only way to get LDAP support into ssh is by
> using pam, and besides, *why* would anyone even contemplate using different
> auth implementations for the various services on a server when you can use a
> single framework to auth with?

Sorry, but PAM and ssh1 just don't go along very well.  One more
reason to use ssh2 instead.

>> you have a choice between 1) PAM authentication that looks like crap
>> and 2) no PAM authentication.  Take your pick.
> Apply the attached patch and you don't have a problem with double prompts. 
> Not saying it's the right solution but it works...

It's definitely not the right solution, as it breaks the cases where
the challenge is an actual challenge (e.g. pam_opie).

> > There is no "keyboard-interactive" authentication in ssh1.  You need
> > to get better at that "reading" thing you've been hearing about.
> No kidding, that's why those clients don't support keyboard-interactive...

This is not the problem here.  You're confusing two issues: one,
mentioned in this thread, is a failure of ssh1's regular password
authentication method, and the other, which was *not* mentioned in
this thread, is the lack of keyboard-interactive support in some
Windows-based ssh2 clients.

> There's no way in ssh1 to authenticate with a password then?  Doesn't make
> much sense does it?  It was doing password authentication before with
> version 1, now it can't and it breaks clients which can't do ssh v2?

ssh1 has a very limited range of authentication options.  One of those
is simple password authentication, another is TIS authentication
(which can also be used for any challenge/response authentication
scheme using only one challenge).

ssh2 has a wider range of options, including keyboard-interactive
which allows for longer exchanges of prompts and responses, and can
thus be used for challenge/response schemes where multiple challenges
may be required (such as PAM).

PAM can be shoe-horned into ssh1's TIS authentication method, but
it'll break if more than one challenge is needed (whether that is the
case depends on the contents of /etc/pam.conf or /etc/pam.d/sshd)

The original poster's problem, apart from the double prompt, seems to
be that PAM worked but ssh's builtin password authentication didn't,
for unknown reasons.  The fact that password authentication didn't
work for him is a completely separate problem from the whole PAM
issue.

DES
-- 
Dag-Erling Smørgrav - des at des.no




More information about the openssh-unix-dev mailing list