problem with pam_converse with openssh protocol version 1

Marcin Mogielnicki mar_mog at o2.pl
Wed Jun 22 01:55:05 EST 2005 

Hi,

My company decided to implement security restrictions lately and I was 
to write more strict authorization modules for pam. One of it works 
asking for some kind of additional security string (for example pin from 
some kind of token). It is done by pam module, which asks calling 
application to do conversation for him:

         prompt_msg.msg_style = PAM_PROMPT_ECHO_OFF;
         prompt_msg.msg=strdup("Enter PIN:");
         pmsg[i++] = &prompt_msg;
         retval = pam_get_item(pamh, PAM_CONV,(void *) &conv);
         if (retval != PAM_SUCCESS)
          return PAM_SYSTEM_ERR;
         retval = conv->conv (i,(CONST struct pam_message 
**)&pmsg,&resp, conv->appdata_ptr);
         if (retval != PAM_SUCCESS || resp == NULL)
          return PAM_SYSTEM_ERR;
         pin=strdup(resp->resp);
         free (resp);

It works. For example rlogin shows string "Enter PIN:" and returns 
answer in resp->resp. Openssh works exactly the same, right way, if 
'ChallengeResponseAuthentication yes' is set and v2 protocol is used. 
With v1 PAM_CONV_ERR is always returned, which means that error occured 
during conversation with user. However no conversation takes place - 
"Enter PIN:" is not shown, user is asked for nothing. Logging in with v1 
looks this way:

# ssh -1 -p machine
Password:
Response:
user at machine's password:
(...)
It depends of pam cofiguration, if user is allowed in - PAM_CONV_ERR is 
returned and conversation took no place at all.

v2:
# ssh -2 machine
Password:
Enter PIN:
(...)
Everything works like it should.

I suspect that I will receive very simple answer - "use v2 only". It is 
the simplest and the most secure and effective, but inacceptable. Some 
of machines (Cray SV1 for example) have v1 only implemented. Besides 
hundreds of users connect to my site every day - try to persuade all of 
them to use v2 only.

So one more time:

1) if ChallengeResponseAuthentication is set to yes, pam conversation 
works right with v2, but v1 returns PAM_CONV_ERR. Moreover, it asks user 
for weird things, which make user to call me.
2) if ChallengeResponseAuthentication is set to no, pam conversation 
takes no place in v1 and v2 - PAM_CONV_ERR is returned by sshd to pam 
module.

Is there any way to implement pam conversation into v1 protocol? If not, 
it could be nice for v1 to converse with user in more comprehensible way.

All the tests took place on Solaris 9 and Linux - both behave exactly 
the same (i.e. wrong) way.

Thanks in advance,

	Marcin Mogielnicki, ICM, Poland

More information about the openssh-unix-dev mailing list