Re: SSHD doesn't allow PAM module to use it's own prompt for password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Give this link a read it may help.
 
http://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswords
 
Bob
 
-------------- Original message --------------
From: Darren Tucker <dtucker@xxxxxxxxxx>

> On Thu, Apr 27, 2006 at 12:17:21PM -0700, Kent Wu wrote:
> > Hi guys,
> >
> > I'm trying to write up my own PAM module to authenticate users
> > coming in from ssh channel. This module was working pretty well until
> > lately I wanted to enhance it a bit.
> >
> > What I tried to achieve is that when the system is in a bad
> > state (detected by my PAM module), I want to prompt the user for a
> > special pre-defined password for recovery purpose; the prompt I wanted
> > is like "system is unstable, pls provide recovery password:". I passed
> > this message through the pam_conv structure which I got by calling:
> >
> > pam_get_item(pamh, PAM_CONV, &v! oid_con v);
> >
> > However this prompt never got showed up in my log-in screen. Here I
> > specified the msg_stype as either PAM_PROMPT_ECHO_OFF or
> > PAM_PROMPT_ECHO_ON however none of this works.
> >
> > So I'm thinking even though PAM has defined this conversation structure
> > however looks like SSHD doesn't really honor it well enough. Am I
> > missing something here or is there a workaround for me to achieve what I
> > want?
>
> Which ssh server software and version are you running?
>
> If it's OpenSSH, you need to be using keyboard-interactive authentication
> in sshd for this soft of thing to work. Make sure it's enabled in the
> server's sshd_config ("ChallengeResponseAuthentication yes") then try
> "ssh -o preferredauthentications=keyboard-interactive yourserver".
> If that doesn't work then it's probably a bug somewhere, possi! bly in sshd.
>
> In SSH in general, basic password authentication within the protocol
> doesn't provide enough flexibility to do what you want. (It's possible
> for sshd to hack around some of the limites by using things like SSHv2
> banner packets, which OpenSSH's sshd does for some things.)
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
> _______________________________________________
>
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list 
_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux