Keyboard-interactive authentication from a PAM module
Julián de Navascués
julian.navascues at gmail.com
Fri Nov 7 03:31:48 EST 2008
Im working in the same PAM module that Josele is working. First of all
thank you for your reply. I would like to answer your questions:
> - what platform is this running on? Probably will not make a difference
> but it might help.
We are developing under linux (lastest Ubuntu desktop, OpenSSH 5.1)
but in the future we would like to support any unix.
> - what does your PAM config look like for sshd?
We have a very fool temp config... just for testing:
auth optional our_pam_module.so
auth sufficient pam_succeed_if.so uid >= 0
> - is the module source publicly available? (ie can I reproduce this configuration?)
I guess you think we have a complex module... but the only thing we do is:
PAM_EXTERN int pam_sm_authenticate ( args... )
pam_info ( pamh, "Hello\n" ); // shouldn't it work as a
fprintf on the ssh client side?
sleep ( n_seconds );
If we use this module in other PAM aware application ( like the switch
user command "su" ) we see first the message "Hello", then wait
n_seconds, then return PAM_SUCCESS... and auth depends on
/etc/pam.d/su and other modules.
BUT, if we try the same with our sshd (keyboard interactive
authentication via PAM) we only see our "Hello" message after the
n_secondsa and the PAM auth is finished. Also if we prompt something
after the pam_info call (prompt for a password, for example). we can
see the "Hello" message.
So... we know its possible to do it with "su", but... we are not sure
if its possible to send a message to SSH client, I mean:
SSH Client <----- "Hello" ---------| sshd | <-------- "Hello"
------------ | PAM module says Hello and sleeps...
Keyboard interactive ( RFC:
http://www.rfc-archive.org/getrfc.php?rfc=4256 ) authentication allows
to send to the SSH client without prompting, as RFC says:
1. In the case that the server sends a `0' num-prompts field in the
request message, the client MUST send a response message with a `0'
num-responses field to complete the exchange.
2. The num-prompts field may be `0', in which case there will be no
prompt/echo fields in the message, but the client SHOULD still
display the name and instruction fields (as described below)
Is the sshd able to recieve a info message from PAM (as a PAM aware
app in a PAM conversation) and send it immediately to the SSH client
(as a SSH server in the middle of a keyboard interactive
Has anybody did this before? I know it sounds complicated or even
absurd, but we want it (and we dont want to patch SSH server or
Thanks again for your help and sorry for my bad English,
Josele Lerele wrote:
> I am using version 5.1. I know you can send information through the
> banner, but I would like to send dynamic information from the PAM
I wasn't refering to the banner file. The PAM code uses the banner
protocol message to send data provided by PAM under some conditions when
there's no prompt.
> Do you think this is possible without prompting something in the
Depends on what PAM passes sshd.
Could you please you compile and run (as root) this little test program
to show what PAM's doing and post the output? (Sanity checking the code
first is recommended. It doesn't set noecho so you want to make sure
there's nobody watching over shoulders, and obviously clip any sensitive
bits from the output.)
A few other random questions:
- what platform is this running on? Probably will not make a difference
but it might help.
- what does your PAM config look like for sshd?
- is the module source publicly available? (ie can I reproduce this
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
More information about the openssh-unix-dev