Hi Darren, I'm using OpenSSH and you're right, after enabling ChallengeResponseAuthentication in sshd_config then its working. Thanks!! BTW, I don't see any security holes by enabling ChallengeResponseAuthentication, please let me know if you think otherwise. -Kent -----Original Message----- From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Darren Tucker Sent: Thursday, April 27, 2006 2:20 PM To: Pluggable Authentication Modules Subject: Re: SSHD doesn't allow PAM module to use it's own prompt forpassword On Thu, Apr 27, 2006 at 12:17:21PM -0700, Kent Wu wrote: > Hi guys, > > I'm trying to write up my own PAM module to authenticate users > coming in from ssh channel. This module was working pretty well until > lately I wanted to enhance it a bit. > > What I tried to achieve is that when the system is in a bad > state (detected by my PAM module), I want to prompt the user for a > special pre-defined password for recovery purpose; the prompt I wanted > is like "system is unstable, pls provide recovery password:". I passed > this message through the pam_conv structure which I got by calling: > > pam_get_item(pamh, PAM_CONV, &void_conv); > > However this prompt never got showed up in my log-in screen. Here I > specified the msg_stype as either PAM_PROMPT_ECHO_OFF or > PAM_PROMPT_ECHO_ON however none of this works. > > So I'm thinking even though PAM has defined this conversation structure > however looks like SSHD doesn't really honor it well enough. Am I > missing something here or is there a workaround for me to achieve what I > want? Which ssh server software and version are you running? If it's OpenSSH, you need to be using keyboard-interactive authentication in sshd for this soft of thing to work. Make sure it's enabled in the server's sshd_config ("ChallengeResponseAuthentication yes") then try "ssh -o preferredauthentications=keyboard-interactive yourserver". If that doesn't work then it's probably a bug somewhere, possibly in sshd. In SSH in general, basic password authentication within the protocol doesn't provide enough flexibility to do what you want. (It's possible for sshd to hack around some of the limites by using things like SSHv2 banner packets, which OpenSSH's sshd does for some things.) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
