OpenSSH Linux portable patch proposal
György Demarcsek Ifj.
dgy.jr92 at gmail.com
Tue Jun 2 23:46:58 AEST 2015
Dear OpenSSH Developers,
I would like to propose a patch to OpenSSH for Linux. In the recent few
months, I have encountered a scenario where a PAM module used for
authentication in SSH should be informed about the previous successful
authentication methods. I described the complete scenario here:
http://serverfault.com/questions/690038/openssh-two-factor-authentication-combined-with-kerberos-public-key
In this use case, I want to introduce a 2nd factor for authentication while
accepting public key or GSSAPI authentication as first factor. If and only
if none of those methods were successful, a password authentication should
be performed before the second factor.
I also e-mailed this to this mailing list on 4 May. On the basis of a reply
from Damien Miller, there is currently no way to fully accomplish this
scenario with OpenSSH server. So I have made a PoC implementation that I
think does the trick:
https://github.com/dgyuri92/openssh-portable/commit/4a006cad8e3f8b9277ce41747d11261175c161e2
Would you be so kind as to take a look at it? Do you think it could be
beneficial for other users too? I think it would be a nice feature to have,
especially in use cases like mine and it is quite a small patch. Is there a
chance that this patch - or a functionally equivalent one - can be
integrated into future releases?
Thank you very much!
Cheers,
György Demarcsek
More information about the openssh-unix-dev
mailing list