Solaris password requirements not enforced

Darren J Moffat Darren.Moffat at Sun.COM
Thu Aug 12 08:57:30 EST 2004


On Wed, 2004-08-11 at 15:46, Darren Tucker wrote:

> PAM ERROR_MSG and TEXT_INFO messages are collected and sent with the 
> prompts to the user.  The upshot is any ERROR_MSG or TEXT_INFO messages 
> sent after PROMPT_ECHO* will not be displayed if the authentication 
> fails.  If the authentication succeeds, the remaining messages are 
> stored for display to the user after login.

I don't think that is the correct thing to do.  I think OpenSSH does
this because it is preempting what it believes the content and meaning
of messages after a PROMPT_ECHO* might mean.  The whole point of PAM is
that the application doesn't drive the conversation with the end user
the modules and the configuration of the PAM stack do.

I believe that sshd should just send what ever PAM gives it to the
client.  If it turns out that leaks security relevant information that
isn't the fault of sshd it is the fault of the PAM module.  It is a
reasonably common practice (on Solaris at least) to provide an option
that can be given to the PAM module to suppress its messages.  In
addition to that proper configuration of the PAM stack should eliminate
trying later modules or ensuring that all modules are tried depending on
what policy the admin wants.

-- 
Darren J Moffat




More information about the openssh-unix-dev mailing list