Re: Why doesn't pam_prompt() function work with ssh?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

federikkom wrote:

I'm developing an authentication service module for PAM.
This module sends a token to a mobile to authenticate a
user.

The module prompts "Token:" and expects the user to enter
the token sended. If the token is valid, the user is
authenticated. The token expires after some seconds.

With login and su application it works fine, but with ssh
it doesn't work. However, ssh is compiled and configured
with PAM.
Which SSH server software and version are you using? The config looks like OpenSSH and the remainder of this message assumes that it is. 

[...]

When you use the login application to enter to the system,
you can see this:

loing: user
password:
Token:

If the user puts the correct data, it is authenticated.

With login application works the same way:

$ su user
password:
Token:

But with ssh I haven't been able to prompt the word
"Token:" to get the string that the user writes. I'm using
the pam_prompt() function to display it.
What you're trying to do should work with SSH protocol 2 and keyboard-interactive authentication. 


root@gasherbrum:~# ssh -c 3des root@manaslu
root@manaslu's password:
Permission denied, please try again.
root@manaslu's password:
That prompt looks like sshd's PasswordAuthentication is still enabled. Did you restart sshd after changing its config? You can force the client to use kbdint with: 

$ ssh -2 -o preferredauthentications=keyboard-interactive yourserver


After I enter the correct password it asks me again to
enter the password, instead of displaying "Token:".


Also, in OpenSSH "-c 3des" is a cipher option for SSH protocol 1.
The SSHv1 protocol allows for only a single challenge and response per auth attempt, so what you're trying to do won't work with it (and can't without some serious hackery on the sshd side, such as maintaining PAM state between auth attempts). 

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux