openssh, pam, challenge-response problem

Skalak Zdenek skalak at
Tue Sep 8 18:12:37 EST 2009


	when configuring the OpenSSH to authenticate through pam_radius, I 
encountered the following problem:

	The radius server is configured to accept username and generic 
password, it then generates some textual string as a challenge-request 
and waits again for username and this time for challenge-response.

	Pam_radius use pam->conv function, retrieved with 
pam_get_item(PAM_COM), with challenge-request and type 
PAM_PROMPT_ECHO_ON, to present the challenge-request to user and to 
retrieve the challenge-response.

	OpenSSH sets the PAM_CONV function to sshpam_passwd_conv() (defined in 
pam_auth.c). But this function doesn't have implemented the 
PAM_PROMPT_ECHO_ON flavor, and returns the PAM_CONV_ERROR :-(

	It should be possible to implement the PAM_PROMPT_ECHO_ON conversation 
either with read()/write() or with fdopen()/fprintf()/fgets()/fclose() 
(as is done similary for stdin in sshpam_tty_conv()), but we need the 
socket. The only way to pass the information into the pam module is by 
Authctxt structure. So we need to add the "int socket" field into the 
Convctxt structure and then use it (if not set to -1) for 
challenge-response authentication.

	Sounds possible?

	Best regards
		Zdenek OGAR Skalak
Ing. Zdenek OGAR Skalák
Monet+ a.s.	        <>
Za Dvorem 505, 763 14 Zlín - Štípa, CZ
Tel: +420 / 577 110 411,  Fax: +420 / 577 914 557

Tato zprava byla prohledana na vyskyt viru
a nebezpecneho obsahu antivirovym systemem
MailScanner a zda se byt cista.

More information about the openssh-unix-dev mailing list