problem with pam_converse with openssh protocol version 1

Darren Tucker dtucker at zip.com.au
Wed Jun 22 10:49:14 EST 2005


Frank Cusack wrote:
[about hacking SSHv1 TIS auth for multiple challenges]
> Actually, what I did was to allow any number of challenge messages.
> So a failure message is indeed a failure.  I collected all the prompts
> in the conversation function and sent them one at a time as individual
> challenges to the client.

I don't think that's guaranteed to work with a compliant SSHv1 client. 
The client is well within its rights to try some other auth type after 
the first TIS failure then abort when the server violates the protocol 
by sending a second TIS challenge without the client first sending a 
SSH_CMSG_AUTH_TIS.

It may work with an unmodified client but purely by accident.

If they're going to have to modify clients they may as well deploy a v2 
client which can support it properly.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list