[Bug 2408] Expose authentication information to PAM

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Nov 21 22:18:45 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2408

radoslaw at ejsmont.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---
                 CC|                            |radoslaw at ejsmont.net

--- Comment #16 from radoslaw at ejsmont.net ---
Hi,

I took a look at the original patch proposed by György and sources of
7.6 release. While the proposed patches expose auth info to PAM for
session and accounting modules, reading OPs sources and his use case
(https://cern-cert.github.io/pam_2fa/) I recon that the proposed patch
does not solve OPs problem. The initial idea behind this patch was to
allow PAM to detect successful authentication performed by openssh own
methods and decide which additional authentication methods were
required. The design was to allow users to log-in using PAM
keyboard-interactive (passwd, mysql, ldap, whatever) getting a proper
password prompt and 2FA (google, yubico, whatever) or using openssh own
mechanism (pubkey, gssapi), avoid password prompt and jump directly to
2FA prompt.  This use case requires exposure of SSH_AUTH_INFO within
auth module, not session or accounting.

Could György please comment on that?


Best,

Radek

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list