On Sat, Jul 23, 2016 at 5:50 AM, James Murphy <james.murphy.debian@xxxxxxxxx> wrote: > I'm writing a PAM module to do authentication through Signal (as in Open > Whisper Systems) [1]. I would like to be able to offer > (Public key AND Signal) or (Password AND Signal) > > for authentication. This suggests setting AuthenticationMethods to > publickey,keyboard-interactive:pam password,keyboard-interactive:pam > > However, when PAM is enabled "password" means "show password prompt, > then do PAM", which is a problem because my PAM does Signal auth, not > password auth, The PAM conversation is whatever you configure the stack to be, not just one of password or Signal. For example you could have this in your PAM ssh config: auth required pam_unix.so auth requred pam_signal.so and as long as you're using SSH Protocol 2, it should allow multiple conversations in a single call to pam_authenticate. That should get you the "password then Signal" authentication via only keyboard-interactive. [...] > Or another solution would be to allow multiple different PAM modules to > be called instead of requiring it all to be lumped into /etc/pam.d/sshd. There's an open enhancement request for this: https://bugzilla.mindrot.org/show_bug.cgi?id=2246 > Then one could specify something like > > PAMFiles /etc/pam.d/sshd* > AuthenticationMethods > keyboard-interactive:pam:sshd-pass,keyboard-interactive:pam:sshd-signal You can get this behaviour by putting both auth modules in the ssh stack config as described above and that should work with the current production code. Getting (Public key AND Signal) or (Password AND Signal) to work is trickier. I can imagine 2 ways to do it, both of which require changes not in the current production code. 1) Use the per-auth-type PAM configs as per https://bugzilla.mindrot.org/show_bug.cgi?id=2246. 2) Configure the ssh-passwd stack to have just pam_unix.so and the ssh-kbdint stack to have just pam_signal.so. 3) Put "AuthenticationMethods password,keyboard-interactive publickey,keyboard-interactive" into sshd_config. sshd should offer you either of publickey or password first then proceed to keyboard-interactive. OR (and this one is fuzzier) a) Use "expose authentication information to PAM" as per https://bugzilla.mindrot.org/show_bug.cgi?id=2408 b) Put "AuthenticationMethods "publickey,keyboard-interactive keyboard-interactive" in sshd_config c) Put both pam_unix.so and pam_signal.so in the PAM config and have it somehow check for the indication that pubkey has been successful and if found, skip pam_unix somehow. I don't know of a way to do that offhand though. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
