openssh, pam, challenge-response problem
Skalak Zdenek
skalak at monetplus.cz
Tue Sep 8 18:12:37 EST 2009
Hello,
when configuring the OpenSSH to authenticate through pam_radius, I
encountered the following problem:
The radius server is configured to accept username and generic
password, it then generates some textual string as a challenge-request
and waits again for username and this time for challenge-response.
Pam_radius use pam->conv function, retrieved with
pam_get_item(PAM_COM), with challenge-request and type
PAM_PROMPT_ECHO_ON, to present the challenge-request to user and to
retrieve the challenge-response.
OpenSSH sets the PAM_CONV function to sshpam_passwd_conv() (defined in
pam_auth.c). But this function doesn't have implemented the
PAM_PROMPT_ECHO_ON flavor, and returns the PAM_CONV_ERROR :-(
It should be possible to implement the PAM_PROMPT_ECHO_ON conversation
either with read()/write() or with fdopen()/fprintf()/fgets()/fclose()
(as is done similary for stdin in sshpam_tty_conv()), but we need the
socket. The only way to pass the information into the pam module is by
Authctxt structure. So we need to add the "int socket" field into the
Convctxt structure and then use it (if not set to -1) for
challenge-response authentication.
Sounds possible?
Best regards
Zdenek OGAR Skalak
--
Ing. Zdenek OGAR Skalák
Monet+ a.s. <http://www.monetplus.cz>
Za Dvorem 505, 763 14 Zlín - Štípa, CZ
Tel: +420 / 577 110 411, Fax: +420 / 577 914 557
--
Tato zprava byla prohledana na vyskyt viru
a nebezpecneho obsahu antivirovym systemem
MailScanner a zda se byt cista.
More information about the openssh-unix-dev
mailing list