Re: OpenSSH 4.2p1 and PAM - a problem

Jeff Blaine wrote:
Darren, any explanation you can give would be great.

Darren Tucker wrote:
On Tue, Nov 22, 2005 at 01:33:07PM -0500, Jeff Blaine wrote:
The "AFS Password required but not supplied by user jblaine"
below is bogus.  A password was supplied.

Does "ssh -o PreferredAuthentications=password yourserver" work?
(This requires that PasswordAuthentication be enabled in sshd_config.)

If that works, I will explain why.  If not, please open an OpenSSH bug
at and we will see what we can do to help
you get it working.

Oops, I meant to get back to answering that and (as usual) got sidetracked.

The basic reason is the way OpenSSH's sshd does PAM authentication for keyboard-interactive: for various reasons, it forks off a process to interact with PAM while the parent continues to interact with the client. The pam_authenticate call is done in this child process.

Most of the time this works fine, however PAM supplies a mechanism to store module-private information (ie pam_set_data()) which does not work with this. Your module probably uses it to store the user's credentials (TGT / password / whatever) which is lost when this subprocess exits, causing future invocations of the module to complain about its lack.

PasswordAuthentication uses a much simpler (but limited) method to interact with PAM which does not use a subprocess, so it does not suffer from this problem. If your modules work OK with this then it is probably your best solution at the moment: simply disable ChallengeResponseAuthentication in sshd_config.

Alternatively, you can compile with a #define to use a thread rather than a process for keyboard-interactive (USE_POSIX_THREADS for <= 4.0p1, UNSUPPORTED_POSIX_THREADS_HACK for >= 4.1p1), however this is, as you may gather, unsupported.

The gory details can be found at in bug #688, and in a couple of threads on the openssh-unix-dev list.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Relevant Pages

  • Re: configure password prompt in SSH
    ... > and keyboard-interactive authentications? ... PAM, which is why the two are often used together). ... Darren Tucker ... Good judgement comes with experience. ...
  • Re: PAM changing user name
    ... The specific case matches the Radius example pretty well ... > authentication work with PAM backported - no problem upgrading to a more ... Darren Tucker ... Good judgement comes with experience. ...
  • Re: OpenSSH 3.8p1 on Solaris with PAM/krb5
    ... Will that still use password auth ... it will use whatever PAM is configured for. ... Darren Tucker ... Good judgement comes with experience. ...
  • Re: Forcing new password at login (w/o requiring an old password) (sudo related)
    ... >> If you're using PAM then the user will be forced to set a new password ... >> when the existing one expires regardless of the authentication method. ... Darren Tucker ... Good judgement comes with experience. ...
  • PAM Please help
    ... How do by PAM to assign user of 10MB primary storage and 10 % supplies of ...