PAM_AUTH_ERR messages
Sean
seanlkml at sympatico.ca
Sun May 1 02:19:15 EST 2005
On Sat, April 30, 2005 10:49 am, Darren Tucker said:
Hi Darren,
> What version of OpenSSH is this, which authentication method, and which
> module type is denying the login? In 4.0p1, results of failing account
> and session modules are sent to the user (account messages via SSH2
> banner messages, the session modules via the session itself).
It's Fedora FC3 openssh-3.9p1-8.0.1. kbd-int password authentication.
And it's a session module. Originally it was pam_limits doing the login
denial, but unfortunately it doesn't send any message giving a reason for
the failure. So now we have a custom PAM module :o/ I'm rather shocked
more people aren't running into this.
> Possibly, but it's not trivial: you can't just printf() the message
> because if authentication fails then there's no session to send the
> messages down.
For our purposes we're only trying to report reasons for a session being
denied, so if I understand correctly, this shouldn't be an issue.
> There's a few things to consider:
>
> * For keyboard-interactive, the kbdint machinery currently doesn't send
> any messages after the authentication fails (ie it won't send a
> zero-prompt message with the failure text).
This may be the crux of the problem and is definitely the behavior we're
seeing.
> * The messages will accumulate in the monitor when privsep=yes and will
> need to be copied to the slave before they can be sent to the user (see
> mm_do_pam_account for an example).
>
> * The output could be sent in banner messages (however they're a
> Protocol 2 only feature).
Hmmm, protocol 2 isn't a problem, however I don't see anything in
auth-pam.c about "banner messages". Are they somehow separate from
pam_conv messages?
> * For protocol 1 the only option appears to be a disconnect message.
>
> * There's also a potential issue with leaking information: it'll behave
> significantly differently if the authentication is denied for other
> reasons (eg DenyUsers).
Well, the message only comes up after someone enters a correct password,
so I don't think this is actually a leak.
Thanks very much for your help,
Sean
More information about the openssh-unix-dev
mailing list