Re: OpenSSH 4.2p1 and PAM - a problem
- From: Darren Tucker <dtucker@xxxxxxxxxx>
- Date: Sun, 01 Jan 2006 18:52:52 +1100
Jeff Blaine wrote:
Darren, any explanation you can give would be great.[...]
[...]
http://www.networksecurityarchive.org/html/Secure-Shell/2005-11/msg00049.html
Darren Tucker wrote:On Tue, Nov 22, 2005 at 01:33:07PM -0500, Jeff Blaine wrote:
The "AFS Password required but not supplied by user jblaine" below is bogus. A password was supplied.
Does "ssh -o PreferredAuthentications=password yourserver" work? (This requires that PasswordAuthentication be enabled in sshd_config.)
If that works, I will explain why. If not, please open an OpenSSH bug at http://bugzilla.mindrot.org and we will see what we can do to help you get it working.
Oops, I meant to get back to answering that and (as usual) got sidetracked.
The basic reason is the way OpenSSH's sshd does PAM authentication for keyboard-interactive: for various reasons, it forks off a process to interact with PAM while the parent continues to interact with the client. The pam_authenticate call is done in this child process.
Most of the time this works fine, however PAM supplies a mechanism to store module-private information (ie pam_set_data()) which does not work with this. Your module probably uses it to store the user's credentials (TGT / password / whatever) which is lost when this subprocess exits, causing future invocations of the module to complain about its lack.
PasswordAuthentication uses a much simpler (but limited) method to interact with PAM which does not use a subprocess, so it does not suffer from this problem. If your modules work OK with this then it is probably your best solution at the moment: simply disable ChallengeResponseAuthentication in sshd_config.
Alternatively, you can compile with a #define to use a thread rather than a process for keyboard-interactive (USE_POSIX_THREADS for <= 4.0p1, UNSUPPORTED_POSIX_THREADS_HACK for >= 4.1p1), however this is, as you may gather, unsupported.
The gory details can be found at http://bugzilla.mindrot.org in bug #688, and in a couple of threads on the openssh-unix-dev list.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.- Prev by Date: Re: dropped connection with openssh4.2
- Next by Date: version 4.0 and Kerberos
- Previous by thread: Re: dropped connection with openssh4.2
- Next by thread: version 4.0 and Kerberos
- Index(es):
Relevant Pages
|
