PAM_AUTH_ERR messages
Darren Tucker
dtucker at zip.com.au
Sun May 1 11:56:36 EST 2005
David Leonard wrote:
>>Sean wrote:
>>>There seems to be no way for PAM to inform a user why her ssh login
>>>attempt is being denied. Niether PAM_TEXT_INFO or PAM_ERROR_MSG
>>>conversation messages are passed on to the user by sshd unless the login
>>>is successful. This is causing great frustration for us at several sites
>>>where users can't figure out why their logins aren't working.
>
> I'm seeing the same problem being hit here. (4.0p1 keyboard-interactive)
>
> Our pam module believes that calling through the pam_conv (during auth,
> and just before returning PAM_AUTH_ERR) will display an important message
> to the user. But it doesn't, and it causes confusion.
OK, this is a separate problem to the one Sean is having.
I had a patch a while back that worked around this by sedning kbdint
packets with text but no prompt, however the patch was truly evil.
Using a ssh2 banner message might be a viable option for this too.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list