Keyboard-interactive authentication from a PAM module

Julián de Navascués julian.navascues at gmail.com
Fri Nov 7 23:27:45 EST 2008


Hi again,


sorry, I'm afraid I don't understand how this can help to this subject.
Mainly because I don't see the relation between the pam-test and the sshd or
my module. Probably you wanted me to make something different, that is what
I have run:


user at ubuntu804desktop:~/Desktop$ sudo ./pam-test-harness -T -v
[sudo] password for user:
0.00  $Id: pam-test-harness.c,v 1.31 2007/08/19 02:27:40 dtucker Exp $
0.00  conversation struct {conv=0x8049119, appdata_ptr=0x804bb78}
0.00  pam_start(login, (NULL), &conv, &pamh)
0.01   = 0 (Success)
0.01  pam_get_item(pamh, PAM_SERVICE, ...)
0.01   = 0 (Success)
0.01      PAM_SERVICE = login (unchanged)
0.01  pam_set_item(pamh, PAM_TTY, "ssh")
0.01   = 0 (Success)
0.01  pam_set_item(pamh, PAM_RHOST, "ubuntu804desktop")
0.01   = 0 (Success)
0.01  pam_set_item(pamh, PAM_RUSER, "user")
0.01   = 0 (Success)
0.01  pam_authenticate(pamh, 0x0)
0.01      conversation called with 1 messages data 0x804bb78
0.01          PROMPT_ECHO_ON: login:user
2.53          [conversation function returned]
2.53      conversation called with 1 messages data 0x804bb78
2.53          PROMPT_ECHO_OFF: Password: user
3.44          [conversation function returned]
3.44   = 0 (Success)
3.44  pam_acct_mgmt(pamh, 0x0)
3.44   = 0 (Success)
3.44  pam_open_session(pamh, 0x0)
3.45      conversation called with 1 messages data 0x804bb78
3.45          TEXT_INFO: Last login: Thu Nov  6 19:15:02 EST 2008 from
localhost on pts/5
3.45      conversation called with 1 messages data 0x804bb78
3.45          TEXT_INFO: Linux ubuntu804desktop 2.6.24-21-generic #1 SMP Tue
Oct 21 23:43:45 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
3.45   = 0 (Success)
3.45  pam_setcred(pamh, 0x0)
3.45   = 0 (Success)
3.45  pam_get_item(pamh, PAM_SERVICE, ...)
3.45   = 0 (Success)
3.45      PAM_SERVICE = login (unchanged)
3.45  pam_get_item(pamh, PAM_USER, ...)
3.45   = 0 (Success)
3.45      PAM_USER = user (CHANGED)
3.45  pam_get_item(pamh, PAM_TTY, ...)
3.45   = 0 (Success)
3.45      PAM_TTY = ssh (unchanged)
3.45  Standard environment variables:
3.45  PAM environment variables:
3.45
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
3.45      LANG=en_US.UTF-8
3.45      MAIL=/var/mail/user
3.45  uid 0 euid 0 gid 0 egid 0
3.45  pam_close_session(pamh, 0)
3.45   = 0 (Success)
3.45  pam_end(pamh, 0)
3.45   = 0 (Success)




> It should, but having said that it would only work for
keyboard-interactive and PAM can be invoked for other auth types A >
(password, for the auth stack or any, for the account stack).  Banner
messages can be sent at any time before
> authentication is complete (that's why they're used for this).

Yes, that's fine, we only want it working with keyboard-interactive and
PAM.  I wanted to ask you in the last email: what are "banner messages" in a
PAM context?? I mean, as far as I know the only way to send information
messages from a PAM module is PAM conversation  (
http://linux.die.net/man/3/pam_conv conv function with PAM_TEXT_INFO ).  I
didn't find any other way... I'm wrong?

I have seen that pam_info uses this conv in the subsequent calls...

Thanks





On Fri, Nov 7, 2008 at 12:38 AM, Darren Tucker <dtucker at zip.com.au> wrote:

> Julián de Navascués wrote:
> [...]
>
>> Is the sshd able to recieve a info message from PAM  (as a PAM aware
>> app in a PAM conversation) and send it immediately to the SSH client
>> (as a SSH server in the middle of a keyboard interactive
>> authentication) ???
>>
>
> It should, but having said that it would only work for keyboard-interactive
> and PAM can be invoked for other auth types (password, for the auth stack or
> any, for the account stack).  Banner messages can be sent at any time before
> authentication is complete (that's why they're used for this).
>>
>>



>>>  Has anybody did this before?  I know it sounds complicated or even
>> absurd, but we want it (and we dont want to patch SSH server or
>> client).
>>
> [...]
>
> I will look at this but it would be easier if you can supply the output
> from the diag tool I asked for:
>
>  Could you please you compile and run (as root) this little test program
>> to show what PAM's doing and post the output? (Sanity checking the code
>> first is recommended. It doesn't set noecho so you want to make sure
>> there's nobody watching over shoulders, and obviously clip any sensitive
>> bits from the output.)
>>
>> http://www.zip.com.au/~dtucker/patch...test-harness.c<http://www.zip.com.au/%7Edtucker/patch...test-harness.c>
>>
>
> (addendum: if the timing is important to you please add the -v option to
> enable timestamps)
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>    Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>


More information about the openssh-unix-dev mailing list