Using 'ForceCommand' Option

Darren Tucker dtucker at zip.com.au
Thu Feb 18 13:01:14 AEDT 2016


On Thu, Feb 18, 2016 at 9:47 AM, Lesley Kimmel
<lesley.j.kimmel at gmail.com> wrote:
> [...] I'm not sure a user can interact with a script being executed by PAM.

It depends on what the PAM module running the script does, but probably not.

The PAM stack runs before the user has a tty, so writing to stdout or
stderr is a bad idea (sshd maps these to /dev/null so it won't crash
sshd, but it won't do anything useful either).  Theoretically the PAM
module could read stdio and package up the content into PAM_TEXT_INFO
messages sent via the conversation function which sshd could then send
to the user, but I suspect it would be hard for the PAM module to know
whether or not the script was trying to read from stdin and do
something sensible in that case.

You might be able to construct what you want from pam_echo to send the
message and module that solicits a response and checks it (I don't
know of such a module but in theory it wouldn't be hard to write).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list