Damien Miller wrote: > > Hi, > > Is it possible to decouple the collection of prompts from the response > to them? It seems that you have to do both at once in the conversation > function. > > I want to be able to grab the prompts and then respond to them with a > seperate call. The pam itself isn't asyncronous -- it asks for a question and expects to see an answer on return. > Why? I am rewriting OpenSSH's PAM keyboard interactive auth method > to integrate better (currently it abuses the protocol a bit :). Auth > requests and responses can come asynchronously, and we use a callback > architecture to process them when they arrive. I can't make this fit > with the conversation function's need to deliver the prompts and expect > the replies within the same function. > > Any help would be appreciated. What you ask will be non-trivial task if at all possible. Strictly speaking it is not possible, but let's draw a picture first. A pam module calls a user callback, expecting an answer to be filled up or an error to be returned. One of return code can be PAM_CONV_AGAIN. After this return, a module should return PAM_INCOMPLETE to the caller, and a caller should enshure conversation is ready and call the pam routine (e.g. pam_autenticate) again. Looks like just what you want. But there are two problems. First of all, not all modules are ready to handle PAM_CONV_AGAIN properly (some of them will return some sort of generic error to the caller, e.g. PAM_AUTH_ERR). Those are bugs but it is difficult to fix them. (I looked to pam sources last time about a year ago, so things might be changed, but I doubt them was). And second, even if you do what this looks like a way to go, things will not work. There will be no mapping between old and new prompts and responses. Even if you'll collect both, there will be no way to fill up answers to old questions into new questions. Moreover, there is no guarantee that new prompts will be the same! Currently, with commonly used modules, you will get the same prompts with the same sequence next time. But nothing stops to have a module that will ask another questions. The only way to go IMHO is to define some structure to track down answers and fill in pam request structure, call the pam routine, turn on a global flag (we're inside a pam call) in order to avoid nesting calls, and then from a callback continue async send/receive, one-at-a-time, until all the answers will be filled in or an error/abort will be seen, and when return. This looks somewhat ugly, but I see no other way to do this. Having a good async routine set, this will be more-or-less clean. Regards, Michael.
