Re: OpenSSH 4.2p1 and PAM - a problem



Jeff Blaine wrote:
Darren, any explanation you can give would be great.
[...]
http://www.networksecurityarchive.org/html/Secure-Shell/2005-11/msg00049.html


Darren Tucker wrote:
On Tue, Nov 22, 2005 at 01:33:07PM -0500, Jeff Blaine wrote:
[...]
The "AFS Password required but not supplied by user jblaine"
below is bogus.  A password was supplied.


Does "ssh -o PreferredAuthentications=password yourserver" work?
(This requires that PasswordAuthentication be enabled in sshd_config.)

If that works, I will explain why.  If not, please open an OpenSSH bug
at http://bugzilla.mindrot.org and we will see what we can do to help
you get it working.

Oops, I meant to get back to answering that and (as usual) got sidetracked.

The basic reason is the way OpenSSH's sshd does PAM authentication for keyboard-interactive: for various reasons, it forks off a process to interact with PAM while the parent continues to interact with the client. The pam_authenticate call is done in this child process.

Most of the time this works fine, however PAM supplies a mechanism to store module-private information (ie pam_set_data()) which does not work with this. Your module probably uses it to store the user's credentials (TGT / password / whatever) which is lost when this subprocess exits, causing future invocations of the module to complain about its lack.

PasswordAuthentication uses a much simpler (but limited) method to interact with PAM which does not use a subprocess, so it does not suffer from this problem. If your modules work OK with this then it is probably your best solution at the moment: simply disable ChallengeResponseAuthentication in sshd_config.

Alternatively, you can compile with a #define to use a thread rather than a process for keyboard-interactive (USE_POSIX_THREADS for <= 4.0p1, UNSUPPORTED_POSIX_THREADS_HACK for >= 4.1p1), however this is, as you may gather, unsupported.

The gory details can be found at http://bugzilla.mindrot.org in bug #688, and in a couple of threads on the openssh-unix-dev list.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.