conversation function for pam_acct_mgmt failing?

Brian Parent bparent at calvin.ucsd.edu
Wed Nov 17 07:06:10 EST 2004


Re:
> Date: Tue, 16 Nov 2004 19:35:07 +1100
> From: Darren Tucker <dtucker at zip.com.au>
> To: Brian Parent <bparent at calvin.ucsd.edu>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: conversation function for pam_acct_mgmt failing?
> 
> Brian Parent wrote:
> >I'm trying to use PAM on Solaris 8 with sshd (openssh 3.9p1) to run
> >the pam_acct_mgmt function and give some feedback to the user
> >if/when their account doesn't meet the necessary local requirements.
> >
> >Things work fine when I use rlogin, i.e. a user gets authenticated
> >by typing in their password, and if their account has been suspended
> >(locally written programs maintain a database which a pam module checks),
> >they receive a nice message that tells them why their login failed.  
> >When I use sshd, the functionality is correct (logins fail after 
> >authentication
> >if account is suspended), except that the message to the user never makes 
> >it
> >to their screen.  I've used debugging to show that the message does make 
> >it to the conversation function, but the message never prints out.
> 
> Funny you should mention that, it's been fixed in -current.  Well, mostly.
> 
> The problem is that although the conversation works, there wasn't an 
> easy way to get the messages to the user.  Post-3.9, we added some code 
> to pass the message from the monitor to the slave, and to send it (in 
> one of several ways) to the user if the auth or session modules fail. 
> (The attached "pam-merged" patch contains a backport of those changes to 
> 3.9p1.)
> 
> At the moment, for auth modules, it'll return the message but won't 
> terminate the connection, so the user can try to reauthenticate 
> (although it will never succeed).  There's still a patch pending to fix 
> this ("pam-disconnect", attached, which applies on top of "pam-merged").
> 
> It won't fix the SSHv2 keyboard-interactive (which needs some additional 
> work), so you'll need to disable it and enable PasswordAuthentication, 
> but it should work for all other auth types.
> 
> Try them (either both on 3.9p1, or just "pam-disconnect" on a snapshot) 
> and let us know how it goes.
> 
> -- 
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

Thanks so much for the patches!  I applied the first set, pam-merged,
and tested, but got the same (broken) behaviour.  I then applied the
pam-disconnect patches, and tested, and it worked - the message got
through to the client ssh process, and printed out.

I ran all these tests with "ChallengeResponseAuthentication no".
I also tested with UsePrivilegeSeparation both ways (yes and no).
Let me know if there are any other tests you'd like me to run.

My next hurdle is to recompile and run on our linux systems.
If there's interest, I'll let you know how that goes.




More information about the openssh-unix-dev mailing list