conversation function for pam_acct_mgmt failing?
Darren Tucker
dtucker at zip.com.au
Tue Nov 16 19:35:07 EST 2004
Brian Parent wrote:
> I'm trying to use PAM on Solaris 8 with sshd (openssh 3.9p1) to run
> the pam_acct_mgmt function and give some feedback to the user
> if/when their account doesn't meet the necessary local requirements.
>
> Things work fine when I use rlogin, i.e. a user gets authenticated
> by typing in their password, and if their account has been suspended
> (locally written programs maintain a database which a pam module checks),
> they receive a nice message that tells them why their login failed.
> When I use sshd, the functionality is correct (logins fail after authentication
> if account is suspended), except that the message to the user never makes it
> to their screen. I've used debugging to show that the message does make it
> to the conversation function, but the message never prints out.
Funny you should mention that, it's been fixed in -current. Well, mostly.
The problem is that although the conversation works, there wasn't an
easy way to get the messages to the user. Post-3.9, we added some code
to pass the message from the monitor to the slave, and to send it (in
one of several ways) to the user if the auth or session modules fail.
(The attached "pam-merged" patch contains a backport of those changes to
3.9p1.)
At the moment, for auth modules, it'll return the message but won't
terminate the connection, so the user can try to reauthenticate
(although it will never succeed). There's still a patch pending to fix
this ("pam-disconnect", attached, which applies on top of "pam-merged").
It won't fix the SSHv2 keyboard-interactive (which needs some additional
work), so you'll need to disable it and enable PasswordAuthentication,
but it should work for all other auth types.
Try them (either both on 3.9p1, or just "pam-disconnect" on a snapshot)
and let us know how it goes.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-pam-merged.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041116/99460003/attachment.ksh
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-pam-disconnect.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041116/99460003/attachment-0001.ksh
More information about the openssh-unix-dev
mailing list