Sending immediate PAM auth failure messages via kbd-int
Darren Tucker
dtucker at zip.com.au
Wed Jun 2 00:18:19 EST 2004
Hi.
One thing that people seem to want to do with PAM is to deny a login
immediately without interacting but return a message to the user. (Some
platforms implement, eg, /etc/nologin via PAM this way.) Currently, sshd
will just deny the login and the user will not be told why.
Attached it a patch that return a keyboard-interactive packet with the
message in the "instruction" block but with zero prompts (this is
permitted by kbdinteract-06 section 3.4).
The next question is whether or not it's a good idea to send extra info
to a denied login. As a rule, sshd doesn't, but this condition only
occurs if the admin explicitly configures PAM to behave this way. This
won't happen with the recently re-added PAM-via-password authentication,
only keyboard-interactive.
This has an interesting side-effect the OpenSSH client: it immediately
retries (since it's just a failed kbdint auth attempt) so the message is
repeated 3 times. This can be fixed in the client (I have a 4-line
patch that disables kbdint if it gets a messages with zero prompts) but
I'm not sure it's the right thing to do. The server might have multiple
keyboard-interactive "devices" and the next one might behave differently.
Similarly, making sshd disable keyboard-interactive in this case
doesn't seem right either, since a client might to choose to do
something differently (like change username) in response to the message.
Anyway, feel free discuss the patch, try it or pick it apart :-)
-Daz.
$ ssh -o preferredauthentications=keyboard-interactive localhost
No user logins right now.
No user logins right now.
No user logins right now.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-pam-zeromsgs.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040602/2c7e903b/attachment.ksh
More information about the openssh-unix-dev
mailing list