Solaris password requirements not enforced
Darren Tucker
dtucker at zip.com.au
Thu Aug 12 18:11:05 EST 2004
Darren J Moffat wrote:
> On Wed, 2004-08-11 at 15:46, Darren Tucker wrote:
>>PAM ERROR_MSG and TEXT_INFO messages are collected and sent with the
>>prompts to the user. The upshot is any ERROR_MSG or TEXT_INFO messages
>>sent after PROMPT_ECHO* will not be displayed if the authentication
>>fails. If the authentication succeeds, the remaining messages are
>>stored for display to the user after login.
>
> I don't think that is the correct thing to do. I think OpenSSH does
> this because it is preempting what it believes the content and meaning
> of messages after a PROMPT_ECHO* might mean. The whole point of PAM is
> that the application doesn't drive the conversation with the end user
> the modules and the configuration of the PAM stack do.
I happen to agree. I was trying to explain current behaviour, not
justify it.
> I believe that sshd should just send what ever PAM gives it to the
> client. If it turns out that leaks security relevant information that
> isn't the fault of sshd it is the fault of the PAM module.
I agree with that too, however I'm not sure if the existing kbdint
framework can easily be modified to send zero-prompt kbdint messages, so
another mechanism (eg USERAUTH_BANNER) might be needed instead.
I accept that OpenSSH's PAM support has rough edges, but we're trying to
file those off, one edge at a time (see the change logs [1] since
3.8.1p1). It will never be perfect: I think there are a couple of
architectural mismatches between the PAM API and the SSH2 protocol but
it can (and, hopefully, will) improve.
(secureshell at securityfocus removed, the moderator is not approving posts
to this thread because they're cross-posted)
[1] http://cvsweb.mindrot.org/index.cgi/openssh/auth-pam.c
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list