PAM_AUTH_ERR messages

Sean seanlkml at sympatico.ca
Sun May 1 02:19:15 EST 2005 

On Sat, April 30, 2005 10:49 am, Darren Tucker said:

Hi Darren,

> What version of OpenSSH is this, which authentication method, and which
> module type is denying the login?  In 4.0p1, results of failing account
> and session modules are sent to the user (account messages via SSH2
> banner messages, the session modules via the session itself).

It's Fedora FC3 openssh-3.9p1-8.0.1.  kbd-int password authentication. 
And it's a session module.   Originally it was pam_limits doing the login
denial, but unfortunately it doesn't send any message giving a reason for
the failure.  So now we have a custom PAM module :o/    I'm rather shocked
more people aren't running into this.

> Possibly, but it's not trivial: you can't just printf() the message
> because if authentication fails then there's no session to send the
> messages down.

For our purposes we're only trying to report reasons for a session being
denied, so if I understand correctly, this shouldn't be an issue.

> There's a few things to consider:
>
> * For keyboard-interactive, the kbdint machinery currently doesn't send
> any messages after the authentication fails (ie it won't send a
> zero-prompt message with the failure text).

This may be the crux of the problem and is definitely the behavior we're
seeing.

> * The messages will accumulate in the monitor when privsep=yes and will
> need to be copied to the slave before they can be sent to the user (see
> mm_do_pam_account for an example).
>
> * The output could be sent in banner messages (however they're a
> Protocol 2 only feature).

Hmmm, protocol 2 isn't a problem, however I don't see anything in
auth-pam.c  about "banner messages".   Are they somehow separate from
pam_conv messages?

> * For protocol 1 the only option appears to be a disconnect message.
>
> * There's also a potential issue with leaking information: it'll behave
> significantly differently if the authentication is denied for other
> reasons (eg DenyUsers).

Well, the message only comes up after someone enters a correct password,
so I don't think this is actually a leak.


Thanks very much for your help,
Sean

More information about the openssh-unix-dev mailing list