Hi, Is there any hope getting openssh to support a sequence of several authentication methods (requiring different passwords) for one login? I.e. take the standard static password, feed it into pam_unix.so for verification, then ask the user for yet another password (e.g. a one-time password) and verify this one by a different PAM module Currently, verifying either a static password or a one time password both work nicely, but knowing the weaknesses of both methods, I'd like to require both static _and_ one time password... Seems like quite a problem to get a message back to the user and obtain some additional input from him, but then, I'm not an ssh-expert, so I might be missing something obvious. Thanks, Stefan
Surely this would be handled by the pam code already wouldn't it? Assuming that there are several modules all required and they each can ask the user for some auth token... (not that I've actually tried it of course).
> Is there any hope getting openssh to support a sequence > of several authentication methods (requiring different > passwords) for one login? > I.e. take the standard static password, feed it into > pam_unix.so for verification, then ask the user for yet > another password (e.g. a one-time password) and verify > this one by a different PAM module > Currently, verifying either a static password or a one > time password both work nicely, but knowing the > weaknesses of both methods, I'd like to require both > static _and_ one time password... > Seems like quite a problem to get a message back to the > user and obtain some additional input from him, but > then, I'm not an ssh-expert, so I might be missing > something obvious.The SSH2 protocol has support for this in its authentication protocol: 2.2. Responses to Authentication Requests If the server rejects the authentication request, it MUST respond with byte SSH_MSG_USERAUTH_FAILURE string authentications that can continue boolean partial success ... "Partial success" MUST be true if the authentication request to which this is a response was successful. It MUST be false if the request was not successfully processed. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
ChallengeResponse is not enough. The code has hard-coded assumptions about the PAM conversation. Anything more complicated than a simple prompt for password fails. The code needs to be re-written so that the flow of control inside the PAM conversation function drives the authentication protocol. The current code keeps the flow of control in itself and messes with temporary buffers to intereact with PAM in certain limited ways. I have unleashed a student here to take a look at it; I'm hoping we can contribute something general and elegant to the effort. Of course, general and elegant is more work; in the short run I wouldn't mind seeing one of the two hard-coded TIS authsrv patches that appeared for 2.3.0 permanently incorporated. If anyone else is doing likewise I'd like to hear from you. ---------------------------------------------------------------------- Attachment: I have PAM set up on my Solaris machine to require both an S/KEY (via TIS authsrv) and a reusable password. Enclosed is a (cleaned-up) transcript showing that rlogin/PAM can handle it but sshd can't (doesn't even display the challenge at the appropriate time): ---------------------------------------------------------------------- Script started on Tue Mar 13 10:37:26 2001 % rlogin localhost Skey Challenge s/key 631 gr8490 :dish if fog grub much hull Password: SUCCESS! % logout Connection closed. % ssh -2 localhost bukys at localhost's password: Permission denied, please try again. bukys at localhost's password: Permission denied, please try again. bukys at localhost's password: Skey Challenge s/key 630 gr8490 :she mess rays they bog aida Connection closed by 127.0.0.1 % script done on Tue Mar 13 10:38:32 2001 ----------------------------------------------------------------------