problem with pam_converse with openssh protocol version 1
Frank Cusack
fcusack at fcusack.com
Wed Jun 22 09:07:29 EST 2005
On June 22, 2005 8:52:31 AM +1000 Darren Tucker <dtucker at zip.com.au> wrote:
> Frank Cusack wrote:
>> On June 21, 2005 5:55:05 PM +0200 Marcin Mogielnicki <mar_mog at o2.pl> wrote:
>
>> In v1, you'd have to use TIS authentication. You have to make sure
>> your client doesn't echo the password, though. (I think all modern
>> clients are conservative and don't echo.) You might end up having to
>> make some small sshd changes to make this work.
>
> That's what was being attempted first but it failing.
>
> Note that in this particular PAM configuration there are 2 calls to the conversation function,
> once for PIN and once for password,. When that fails, it's falling back to plain password
> authentication (you can prevent that by disabling PasswordAuthentication in sshd_config since
> it's probably not going to work with that PAM config anyway).
>
> My read of the original SSH1 protocol spec is that there is only one challenge/response pair
> permitted by the protocol. For the TIS response, it says:
Ah. I must have made some client-side code changes to make this work, then.
(In my original response I already said some sshd changes might be necessary.)
They're rather easy.
Frank
More information about the openssh-unix-dev
mailing list