Pending OpenSSH release, call for testing.

Darren Tucker dtucker at zip.com.au
Mon Aug 16 22:00:17 EST 2004 

Robert Dahlem wrote:
[...]
> I'm currently in the process of implementing something like an intruder 
> lockout mechanism based on some hacking to pam_tally.so from Linux-PAM-
> 0.77. Please do not comment that this is an invitation to DOS attacks. I 
> know it. The suits won't understand and call it "a known risk".

Well, that seems to suggest whose accounts to test it on, does it not?
:-)

> I would expect any text to appear on the client terminal that the server 
> sends through the PAM conversation function with msg_type PAM_ERROR_MSG 
> or PAM_TEXT_INFO. Well, at least with telnet this works already. But who 
> wants telnet anyway? :-) 
> 
> By some fiddling with debug() I can prove that the text sent by the PAM 
> module is seen by sshpam_passwd_conv() on the server side, but I can't 
> see that text on the client side. Can anyone please give me a pointer 
> where to look?

It's almost certainly not due to your module.  This question came up on 
secureshell at securityfocus too, this is a repost of my answer there:

[quote]
As soon as the PAM call completes, the keyboard-interactive machinery 
considers the authentication attempt complete and no further 
keyboard-interactive messages are sent for that round.

PAM ERROR_MSG and TEXT_INFO messages are collected and sent with the 
prompts to the user.  The upshot is any ERROR_MSG or TEXT_INFO messages 
sent after PROMPT_ECHO* will not be displayed if the authentication 
fails.  If the authentication succeeds, the remaining messages are 
stored for display to the user after login.

It would be possible within the protocol to have a final message in the 
kbdint round with the message in the "instruction" field but zero 
prompts.  I don't know how hard that would be to implement.  There's a 
couple of other options (USERAUTH_BANNER, eg [1] or packet_disconnect).

[1] http://bugzilla.mindrot.org/show_bug.cgi?id=892

[/quote]

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list