Is there a way for a PAM module to force a client (and the server) to use kbd-interactive? As far as I can tell, when in the INITIAL_LOGIN phase, all communication with the client returns a PAM_CONV_ERR. I am trying to write a PAM module that will prompt a user for a second username and a second password in order for the module to succeed so that proper authentication relies on the ability to authenticate against n machines, where n < 1. I looked at the pam_authsrv module, but that appears (I did not compile ad run) to use the supplied username, index against a mapfile, and then use the password supplied by the user to authenticate. So it may not be using kbd-interactive at all, it may just be password. Am I missing something? -- bryan
if you want to force a authentication method on the server you have to disable all other methods (or make them fail). On Mon, Jan 07, 2002 at 12:18:51PM -0800, Bryan Chua wrote:> Is there a way for a PAM module to force a client (and the server) to > use kbd-interactive? As far as I can tell, when in the INITIAL_LOGIN > phase, all communication with the client returns a PAM_CONV_ERR. I am > trying to write a PAM module that will prompt a user for a second > username and a second password in order for the module to succeed so > that proper authentication relies on the ability to authenticate against > n machines, where n < 1. > > I looked at the pam_authsrv module, but that appears (I did not compile > ad run) to use the supplied username, index against a mapfile, and then > use the password supplied by the user to authenticate. So it may not be > using kbd-interactive at all, it may just be password. > > Am I missing something? > > -- bryan > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
On Mon Jan 07 12:18 2002 -0800, Bryan Chua wrote:> Is there a way for a PAM module to force a client (and the server) to > use kbd-interactive? As far as I can tell, when in the INITIAL_LOGINThe PAM module itself can't force a particular SSH auth method, but you can set this up in the sshd_config file by enabling ChallengeResponseAuthentication and disabling all the other auth methods. To get ChallengeResponseAuthentication to use PAM, you also need to enable PAMAuthenticationViaKbdInt.> I looked at the pam_authsrv module, but that appears (I did not compile > ad run) to use the supplied username, index against a mapfile, and then > use the password supplied by the user to authenticate. So it may not be > using kbd-interactive at all, it may just be password.I use pam_authsrv with kbd-interactive to authenticate via an SNK, and it works perfectly. I suggest you try the latest version of pam_authsrv: http://www-dev.cso.uiuc.edu/authsrv/ HTH. -- Mark D. Roth <roth at feep.net> http://www.feep.net/~roth/
On Wed, 2002-01-09 at 02:33, Nicolas Williams wrote:> Part of the problem is that a module might have more questions to ask > given the answers to previous questions. Any system like PAM, with > pluggable modules, will be potentially too dynamic to be used the way > you want ("ask all your questions now, I'll answer them later").I can't see why this is the case. An API like: while (!pam_conversation_done(pamh) { pam_get_prompts(&prompts); /* do something with them */ pam_set_responses(&responses) } takes care of the potential flexability and doesn't dictate structure to the application developer. -d