problem with pam_converse with openssh protocol version 1

Frank Cusack fcusack at fcusack.com
Wed Jun 22 06:27:50 EST 2005


On June 21, 2005 5:55:05 PM +0200 Marcin Mogielnicki <mar_mog at o2.pl> wrote:
> I suspect that I will receive very simple answer - "use v2 only". It is the simplest and the most
> secure and effective, but inacceptable. Some of machines (Cray SV1 for example) have v1 only
> implemented. Besides hundreds of users connect to my site every day - try to persuade all of them
> to use v2 only.
>
> So one more time:
>
> 1) if ChallengeResponseAuthentication is set to yes, pam conversation works right with v2, but v1
> returns PAM_CONV_ERR. Moreover, it asks user for weird things, which make user to call me.
> 2) if ChallengeResponseAuthentication is set to no, pam conversation takes no place in v1 and v2
> - PAM_CONV_ERR is returned by sshd to pam module.
>
> Is there any way to implement pam conversation into v1 protocol? If not, it could be nice for v1
> to converse with user in more comprehensible way.

In v1, you'd have to use TIS authentication.  You have to make sure your client
doesn't echo the password, though.  (I think all modern clients are conservative
and don't echo.)  You might end up having to make some small sshd changes to make
this work.

Frank




More information about the openssh-unix-dev mailing list