Hello, We have a setup with OpenSSH server on HP-UX machine with windows SSH clients and the server system is in trusted mode. There are configuration settings in the trusted system to check the number of unsuccessful logins to the system and the account can be configured to lock if the real unsuccessful attempt is exceeding the allowable limit. Now, as SSH do not have any explicit code to check all these trusted system related configuration, we have a necessity that the code has to go through PAM. We are using "PowerTerm Interconnect" windows SSH clients and in these clients there are no options to set "keyboard-interactive" method for authentication. So,even if we set "UsePAM yes" in the server side, the client is not sending a "keyboard-interactive" string and sends a "password" string, so, the "password" method is being started. So, the system is doing normal password authentication even if "UsePAM yes" is configured. But, we need the sshd server should pass through PAM so that the trusted system behaviour will be taken care by PAM modules. In order to achieve this, we like the sshd server to do the keyboad-interactive feature for Password authentication also. That is., even the normal password authentication it has to go through PAM. First of all,what are the impacts for this change in design? Is this change valid? Any help will be much appreciated. Thanks, Kumar
Kumaresh wrote: [snip]> In order to achieve this, we like the sshd server to do the > keyboad-interactive feature for Password authentication also. That is., even > the normal password authentication it has to go through PAM.This is now in the current version, and the patch is available here: http://bugzilla.mindrot.org/show_bug.cgi?id=874> First of all,what are the impacts for this change in design? Is this change > valid?In order for PasswordAuthentication to work with PAM, sshd must use a "blind" conversation function: ie every time PAM sends an echo-off prompt, it responds with the password, and pretty much anything else generates an error. This means that if you PAM modules that prompt twice and require different responses, prompt with echo on, or require the user to respond based on the content of the prompts (eg a real challenge-response system), it wont work. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Apparently Analagous Threads
- PermitRootLogin without-password functionality differs for UsePAM yes/no option
- [Bug 1024] SSHD fails to connect when "UsePAM and UseLogin" is yes
- [Bug 3566] New: Password expiry warning is printed multiple times when UsePAM is set to yes
- [Bug 1410] New: Correct UsePAM comment in sshd_config on Mac OS X
- README.Solaris9-X86