problem with pam_converse with openssh protocol version 1
Darren Tucker
dtucker at zip.com.au
Wed Jun 22 09:35:06 EST 2005
Frank Cusack wrote:
> On June 22, 2005 8:52:31 AM +1000 Darren Tucker <dtucker at zip.com.au> wrote:
>> My read of the original SSH1 protocol spec is that there is only one
>> challenge/response pair
>> permitted by the protocol. For the TIS response, it says:
>
> Ah. I must have made some client-side code changes to make this work,
> then. (In my original response I already said some sshd changes
> might be necessary.) They're rather easy.
I guess you could do it on the server side only by maintaining the PAM
context between auth attempts and disabling all other auth types. From
a protocol perspective this would be 2 separate TIS attempts, the first
failing and the second succeeding but to the user it would look kinda right.
It's awfully hacky, though. Isn't correctness a priority for you? :-)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list