problem with pam_converse with openssh protocol version 1
Frank Cusack
fcusack at fcusack.com
Wed Jun 22 09:59:02 EST 2005
On June 22, 2005 9:35:06 AM +1000 Darren Tucker <dtucker at zip.com.au> wrote:
> Frank Cusack wrote:
>> On June 22, 2005 8:52:31 AM +1000 Darren Tucker <dtucker at zip.com.au> wrote:
>>> My read of the original SSH1 protocol spec is that there is only one
>>> challenge/response pair
>>> permitted by the protocol. For the TIS response, it says:
>>
>> Ah. I must have made some client-side code changes to make this work,
>> then. (In my original response I already said some sshd changes
>> might be necessary.) They're rather easy.
>
> I guess you could do it on the server side only by maintaining the PAM context between auth
> attempts and disabling all other auth types. From a protocol perspective this would be 2
> separate TIS attempts, the first failing and the second succeeding but to the user it would look
> kinda right.
>
> It's awfully hacky, though. Isn't correctness a priority for you? :-)
:-)
Actually, what I did was to allow any number of challenge messages.
So a failure message is indeed a failure. I collected all the prompts
in the conversation function and sent them one at a time as individual
challenges to the client.
That's just from memory; I don't have the code anymore.
Frank
More information about the openssh-unix-dev
mailing list