PAM_AUTH_ERR messages

[Darren Tucker]

Sean wrote:
> There seems to be no way for PAM to inform a user why her ssh login
> attempt is being denied.   Niether PAM_TEXT_INFO or PAM_ERROR_MSG
> conversation messages are passed on to the user by sshd unless the login
> is successful.   This is causing great frustration for us at several sites
> where users can't figure out why their logins aren't working.

What version of OpenSSH is this, which authentication method, and which 
module type is denying the login?  In 4.0p1, results of failing account 
and session modules are sent to the user (account messages via SSH2 
banner messages, the session modules via the session itself).

> Would a patch be accepted to display such text even on login failure with
> a couple second of delay afterward?  Or is there a way to already do this
> that i'm just missing?

Possibly, but it's not trivial: you can't just printf() the message 
because if authentication fails then there's no session to send the 
messages down.

There's a few things to consider:

* For keyboard-interactive, the kbdint machinery currently doesn't send 
any messages after the authentication fails (ie it won't send a 
zero-prompt message with the failure text).

* The messages will accumulate in the monitor when privsep=yes and will 
need to be copied to the slave before they can be sent to the user (see 
mm_do_pam_account for an example).

* The output could be sent in banner messages (however they're a 
Protocol 2 only feature).

* For protocol 1 the only option appears to be a disconnect message.

* There's also a potential issue with leaking information: it'll behave 
significantly differently if the authentication is denied for other 
reasons (eg DenyUsers).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.