Keyboard-interactive authentication from a PAM module

Darren Tucker dtucker at
Thu Nov 6 22:57:38 EST 2008

Josele Lerele wrote:
> I am using version 5.1. I know you can send information through the 
> banner, but I would like to send dynamic information from the PAM 
> module.

I wasn't refering to the banner file.  The PAM code uses the banner 
protocol message to send data provided by PAM under some conditions when 
there's no prompt.

> Do you think this is possible without prompting something in the 
> client?

Depends on what PAM passes sshd.

Could you please you compile and run (as root) this little test program 
to show what PAM's doing and post the output?  (Sanity checking the code 
first is recommended.  It doesn't set noecho so you want to make sure 
there's nobody watching over shoulders, and obviously clip any sensitive 
bits from the output.)

A few other random questions:

- what platform is this running on?  Probably will not make a difference 
but it might help.

- what does your PAM config look like for sshd?

- is the module source publicly available?  (ie can I reproduce this 

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list