SSH : UsePAM yes and Password authentication
Darren Tucker
dtucker at zip.com.au
Wed Jun 2 12:28:59 EST 2004
Kumaresh wrote:
[snip]
> In order to achieve this, we like the sshd server to do the
> keyboad-interactive feature for Password authentication also. That is., even
> the normal password authentication it has to go through PAM.
This is now in the current version, and the patch is available here:
http://bugzilla.mindrot.org/show_bug.cgi?id=874
> First of all,what are the impacts for this change in design? Is this change
> valid?
In order for PasswordAuthentication to work with PAM, sshd must use a
"blind" conversation function: ie every time PAM sends an echo-off
prompt, it responds with the password, and pretty much anything else
generates an error. This means that if you PAM modules that prompt
twice and require different responses, prompt with echo on, or require
the user to respond based on the content of the prompts (eg a real
challenge-response system), it wont work.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list