PAM_AUTH_ERR messages
Darren Tucker
dtucker at zip.com.au
Sun May 1 00:49:33 EST 2005
Sean wrote:
> There seems to be no way for PAM to inform a user why her ssh login
> attempt is being denied. Niether PAM_TEXT_INFO or PAM_ERROR_MSG
> conversation messages are passed on to the user by sshd unless the login
> is successful. This is causing great frustration for us at several sites
> where users can't figure out why their logins aren't working.
What version of OpenSSH is this, which authentication method, and which
module type is denying the login? In 4.0p1, results of failing account
and session modules are sent to the user (account messages via SSH2
banner messages, the session modules via the session itself).
> Would a patch be accepted to display such text even on login failure with
> a couple second of delay afterward? Or is there a way to already do this
> that i'm just missing?
Possibly, but it's not trivial: you can't just printf() the message
because if authentication fails then there's no session to send the
messages down.
There's a few things to consider:
* For keyboard-interactive, the kbdint machinery currently doesn't send
any messages after the authentication fails (ie it won't send a
zero-prompt message with the failure text).
* The messages will accumulate in the monitor when privsep=yes and will
need to be copied to the slave before they can be sent to the user (see
mm_do_pam_account for an example).
* The output could be sent in banner messages (however they're a
Protocol 2 only feature).
* For protocol 1 the only option appears to be a disconnect message.
* There's also a potential issue with leaking information: it'll behave
significantly differently if the authentication is denied for other
reasons (eg DenyUsers).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list