OpenSSH 3.7.1 compatibility problems on Linux

Sat Sep 20 05:03:07 EST 2003

On Fri, 19 Sep 2003, Dag-Erling Smørgrav wrote:

> James Bourne <jbourne at hardrock.org> writes:
> > > This is PAM mediated through ssh1's TIS authentication feature.
> > IMHO, this should be a single prompt, not 2 seperate prompts and BTW, this
> > comes from the client NOT the server.  The "Response: " portion is actually
> > completely superfluous output...
> 
> Then turn PAM off and stop whining.  The only way to implement PAM
> authentication in ssh1 is to abuse the TIS authentication protocol, so

A little difficult when the only way to get LDAP support into ssh is by
using pam, and besides, *why* would anyone even contemplate using different
auth implementations for the various services on a server when you can use a
single framework to auth with?

> you have a choice between 1) PAM authentication that looks like crap
> and 2) no PAM authentication.  Take your pick.

Apply the attached patch and you don't have a problem with double prompts. 
Not saying it's the right solution but it works...

> > Also, this only happens when connecting to a newer version server.  For
> > example, connecting to a server running 3.7.1p1 you get the second prompt,
> > but connecting to a server with a patched 3.1p1 (ala Red Hat) from the same
> > host using the same client, you get user at host's password:
> 
> because 3.1 didn't have (proper) PAM support.

Fine, granted.

> 
> > > > Authentication with the latter never works, however works with the former.
> > > If password authentication fails when you type the correct password,
> > > you probably did something wrong at build time (like disable shadow
> > > passwords).
> > No actually, it is some incompatability with clients which do not support
> > "keyboard-interactive" authentication.
> 
> There is no "keyboard-interactive" authentication in ssh1.  You need
> to get better at that "reading" thing you've been hearing about.

No kidding, that's why those clients don't support keyboard-interactive...

There's no way in ssh1 to authenticate with a password then?  Doesn't make
much sense does it?  It was doing password authentication before with
version 1, now it can't and it breaks clients which can't do ssh v2?

What I'm trying to say is that for the authentication sequence you should
be able to pass the user and creds off to "pick your service"; pam, sia,
glibc getpwent/crypt/strcmp or what ever; and get back an ack or a nak to say
it's authenticated with ssh1 clients.  You shouldn't have to jump through
hoops to get those authenticated...  Otherwise, just drop the v1 support all
together because those clients will never work properly with this version,
but then SAY you're going to break it first please...

Regards
James

> 
> DES
> 

-- 
James Bourne                  | Email:            jbourne at hardrock.org          
Unix Systems Administrator    | WWW:           http://www.hardrock.org
Custom Unix Programming       | Linux:  The choice of a GNU generation
----------------------------------------------------------------------
 "All you need's an occasional kick in the philosophy." Frank Herbert  
-------------- next part --------------

--- openssh-3.7.1p1/sshconnect1.c.orig	Fri Sep 19 12:28:03 2003
+++ openssh-3.7.1p1/sshconnect1.c	Fri Sep 19 12:48:33 2003
@@ -376,7 +376,7 @@
 	int type, i;
 	u_int clen;
 	char prompt[1024];
-	char *challenge, *response;
+	char *challenge, *response, *ptr;
 
 	debug("Doing challenge response authentication.");
 
@@ -398,8 +398,13 @@
 		}
 		challenge = packet_get_string(&clen);
 		packet_check_eom();
-		snprintf(prompt, sizeof prompt, "%s%s", challenge,
-		    strchr(challenge, '\n') ? "" : "\nResponse: ");
+
+		if((ptr = strchr(challenge, '\n')) != NULL)
+			*ptr = '\0';
+		
+		snprintf(prompt, sizeof prompt, "%s",
+			strlen(challenge) > 1 ? challenge : "Response: ");
+		
 		xfree(challenge);
 		if (i != 0)
 			error("Permission denied, please try again.");
