Hi. I need to necro an old feature request from May 2000: Option PAMServiceName
Corvus Corax
corvus-ml at cybertrench.com
Thu Mar 14 22:18:42 AEDT 2019
Hello OpenSSH devs.
My name is Eric (aka Corvus Corax), I'm currently working as a PhD
student at the Max Planck Institute for Intelligent Systems in Germany.
I wanted to setup 2 factor authentication with OpenSSH using PAM.
but I ran into the following issue requiring a really dirty
hack/workaround:
https://pastebin.com/SuCG6dft
Effectively SSHD is executing two different authentications - one for
password (alternative to ssh key) and one for a challenge response 2
factor token, like this:
AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive
Both authentication methods use the PAM (auth) aspect to let PAM
handle the actual authentication. Yet OpenSSH only uses a single
service name and as such only a single configuration is possible,
requiring really dirty hacks in PAM to distinguish from which context
PAM is being called.
(In fact, I think the described hack doesn't even work in the latest
openssh-portable, making this impossible)
The much more elegant solution would be a feature in OpenSSH to set the
PAMServiceName based on the authentication method used.
Turns out, I am not the first person requesting this.
The first feature request (with patch) I found in
https://marc.info/?l=openssh-unix-dev&m=95840880026194&w=2
in the archive.
The issue came up again in bug
https://bugzilla.mindrot.org/show_bug.cgi?id=1041 in 2005
And then in the 2013 to 2015 period there's a number of emails on the
list starting with
https://marc.info/?l=openssh-unix-dev&m=136846294704608&w=2
and related to bug
https://bugzilla.mindrot.org/show_bug.cgi?id=2246
Of course I only found all this after I already did my own
implementation, which I put both on github and on bugzilla:
https://github.com/openssh/openssh-portable/pull/122
https://bugzilla.mindrot.org/show_bug.cgi?id=2980
Sadly, the old implementation from bug 2246 (which is still open)
is no longer compatible with the latest openssh-portable. But I was
able to take some of the issues/suggestions raised with that bug and
apply it to my re-implementation.
(Mainly related to auth-pam internal state handling when reinitiating
the pam session)
Personally, I think my approach to solving this is slightly superior
(although its also more lazy) than the approach taken in bug 2246
It also has the advantage that it works in the latest openssh-portable.
But I would really like to get some feedback on this.
best regards,
Eric
More information about the openssh-unix-dev
mailing list