R: how to avoid echo prompt with SSH-PAM conv routine?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 

Solution was pretty obvious (of course not for me):

 

Introduction:

_plug_make_prompts builds a sasl_interact_t array, one per prompt, successively exploited by the plug_challenge_prompt (in a second call of the client_mech_step).

 

As _plug_make_prompts supports and builds all kinds of prompt entries (user, password, echoprompt, realm) but noechoprompt it happened that plug_challenge_prompt didn’t find any SASL_CB_NOECHOPROMPT entry in the prompts array.

 

Solution:

By providing a small counterpart of _plug_make_prompts  we build a one-entry array of prompts with a SASL_CB_NOECHOPROMPT entry.

This way plug_challenge_prompt can find a matching entry for SASL_CB_NOECHOPROMPT. Now PAM_LDAP receives interact->id == SASL_COB_NOECHOPROMPT and in turn calls misc_conv with PAM_PROMPT_ECHO_OFF.

 

This is how it works now:

 

=============== client mymech step ================================

      if (echo) // such boolean is obtained by the serverin value (user simple reply / secret reply)

        echo_result = _plug_challenge_prompt(params->utils, SASL_CB_ECHOPROMPT,

                                   NULL,

                                   promptText,

                                   (const char**)&text->echoresponse, prompt_need);

      else

        echo_result = _plug_challenge_prompt(params->utils, SASL_CB_NOECHOPROMPT,

                                   NULL,

                                   promptText2,

                                   (const char**)&text->echoresponse, prompt_need);

 

      if ((echo_result != SASL_OK) && (echo_result != SASL_INTERACT))

            return echo_result;

    /* free prompts we got */

    if (prompt_need && *prompt_need) {

            params->utils->free(*prompt_need);

            *prompt_need = NULL;

    }

      /* if there are prompts not filled in */

      if (echo_result == SASL_INTERACT)

      {

            /* make the prompt list */

            if (echo)

                  result =

                    _plug_make_prompts(params->utils, prompt_need,

                                    NULL, NULL,

                                    NULL, NULL,

                                    NULL, NULL,

                                    NULL, promptText,

                                    NULL, NULL, NULL, NULL);

            else

                  result =

                        my_plug_make_noechoprompt(params->utils, prompt_need,

                                   NULL,

                                   promptText2, //noecho

                                   NULL);

            if (result != SASL_OK) return result;

            return SASL_INTERACT;

      }

====================================================================================

 

Where my_plug_make_noechoprompt is as follows:

====================================================================================

/*

 * Make the requested noechoed prompt. (prompt==NULL not allowed)

 */

int my_plug_make_noechoprompt (const sasl_utils_t *utils,

                   sasl_interact_t **prompts_res,

                   const char *echo_chal,

                   const char *noecho_prompt,

                   const char *echo_def)

{

    int num = 1;

    int alloc_size;

    sasl_interact_t *prompts;

 

    if (noecho_prompt) num++;

 

    if (num == 1) {

            SETERROR( utils, "make_prompts() called with no actual prompts" );

            return SASL_FAIL;

    }

 

    alloc_size = sizeof(sasl_interact_t)*num;

    prompts = utils->malloc(alloc_size);

    if (!prompts) {

            MEMERROR( utils );

            return SASL_NOMEM;

    }

    memset(prompts, 0, alloc_size);

 

    *prompts_res = prompts;

 

    if (noecho_prompt) {

            (prompts)->id = SASL_CB_NOECHOPROMPT;

            (prompts)->challenge = echo_chal;

            (prompts)->prompt = noecho_prompt;

            (prompts)->defresult = echo_def;

            prompts++;

    }

 

    /* add the ending one */

    (prompts)->id = SASL_CB_LIST_END;

    (prompts)->challenge = NULL;

    (prompts)->prompt = NULL;

    (prompts)->defresult = NULL;

 

    return SASL_OK;

}

 

====================================================================================

 

Francesco

 

 


Da: Francesco Grossi ITQL [mailto:f.grossi@xxxxxxx]
Inviato: 18 December 2008 19:37
A: 'cyrus-sasl@xxxxxxxxxxxxxxxxxxxx'
Oggetto: how to avoid echo prompt with SSH-PAM conv routine?

 

Hello Everybody

 

I need help

 

We are trying to make a new SASL mechanism to enable ldap authentication via third-party password-validation tool.

User Authentication is routed to the tool which might ask the client for a new password to be keyed in.

 

We succeeded handling all the conversation though in a unseemly fashion for the new password is echoed (which, of course, is not welcome by the customer).

 

Our 3 main keys have been:

1)       enabling SSH interaction with ChallengeResponseAuthentication=yes in sshd_config

2)       enabling PAM_LDAP via etc/pam.d/system-auth

3)       enabling the pam_conv routine by the following mechanism code:

 

      echo_result = _plug_challenge_prompt(params->utils, SASL_CB_ECHOPROMPT,

                                   NULL,

                                   promptText,

                                   (const char**)&text->echoresponse, prompt_need);

      if ((echo_result != SASL_OK) && (echo_result != SASL_INTERACT))

            return echo_result;

      /* free prompts we got */

      if (prompt_need && *prompt_need) {

            params->utils->free(*prompt_need);

            *prompt_need = NULL;

      }

            /* if there are prompts not filled in */

      if (echo_result == SASL_INTERACT)

      {

            /* make the prompt list */

            result =

                  _plug_make_prompts(params->utils, prompt_need,

                              NULL, NULL,

                             NULL, NULL,

                             NULL, NULL,

                             NULL, promptText,

                             NULL, NULL, NULL, NULL);

            if (result != SASL_OK) return result;

            return SASL_INTERACT;

      }

      /* the application provided us with a new password so use it */

      if (text->echoresponse) {

            *clientout = text->echoresponse;

            *clientoutlen = strlen(text->echoresponse);

      }

 

Now what we expected was just to turn SASL_CB_ECHOPROMPT to SASL_CB_NOECHOPROMPT to reach our goal

The result is the pam_conv routine returns empty response to sasl and the mech_client_step function keeps being called (looping) by the glue code. In human terms  the client keeps giving his new password and still in clear (echoprompted) .

Do you have any idea on what I’m missing?

Is it available any reference about chalprompt_cb function and its parameters  used by _plug_challenge_prompt?

We also tried with _plug_get_password without any outcome

 

Any help would be appreciated

Many many thanks

 

Francesco Grossi

 


[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux