Marcin Mogielnicki
2005-Jun-21 15:55 UTC
problem with pam_converse with openssh protocol version 1
Hi,
My company decided to implement security restrictions lately and I was
to write more strict authorization modules for pam. One of it works
asking for some kind of additional security string (for example pin from
some kind of token). It is done by pam module, which asks calling
application to do conversation for him:
prompt_msg.msg_style = PAM_PROMPT_ECHO_OFF;
prompt_msg.msg=strdup("Enter PIN:");
pmsg[i++] = &prompt_msg;
retval = pam_get_item(pamh, PAM_CONV,(void *) &conv);
if (retval != PAM_SUCCESS)
return PAM_SYSTEM_ERR;
retval = conv->conv (i,(CONST struct pam_message
**)&pmsg,&resp, conv->appdata_ptr);
if (retval != PAM_SUCCESS || resp == NULL)
return PAM_SYSTEM_ERR;
pin=strdup(resp->resp);
free (resp);
It works. For example rlogin shows string "Enter PIN:" and returns
answer in resp->resp. Openssh works exactly the same, right way, if
'ChallengeResponseAuthentication yes' is set and v2 protocol is used.
With v1 PAM_CONV_ERR is always returned, which means that error occured
during conversation with user. However no conversation takes place -
"Enter PIN:" is not shown, user is asked for nothing. Logging in with
v1
looks this way:
# ssh -1 -p machine
Password:
Response:
user at machine's password:
(...)
It depends of pam cofiguration, if user is allowed in - PAM_CONV_ERR is
returned and conversation took no place at all.
v2:
# ssh -2 machine
Password:
Enter PIN:
(...)
Everything works like it should.
I suspect that I will receive very simple answer - "use v2 only". It
is
the simplest and the most secure and effective, but inacceptable. Some
of machines (Cray SV1 for example) have v1 only implemented. Besides
hundreds of users connect to my site every day - try to persuade all of
them to use v2 only.
So one more time:
1) if ChallengeResponseAuthentication is set to yes, pam conversation
works right with v2, but v1 returns PAM_CONV_ERR. Moreover, it asks user
for weird things, which make user to call me.
2) if ChallengeResponseAuthentication is set to no, pam conversation
takes no place in v1 and v2 - PAM_CONV_ERR is returned by sshd to pam
module.
Is there any way to implement pam conversation into v1 protocol? If not,
it could be nice for v1 to converse with user in more comprehensible way.
All the tests took place on Solaris 9 and Linux - both behave exactly
the same (i.e. wrong) way.
Thanks in advance,
Marcin Mogielnicki, ICM, Poland
Frank Cusack
2005-Jun-21 20:27 UTC
problem with pam_converse with openssh protocol version 1
On June 21, 2005 5:55:05 PM +0200 Marcin Mogielnicki <mar_mog at o2.pl> wrote:> I suspect that I will receive very simple answer - "use v2 only". It is the simplest and the most > secure and effective, but inacceptable. Some of machines (Cray SV1 for example) have v1 only > implemented. Besides hundreds of users connect to my site every day - try to persuade all of them > to use v2 only. > > So one more time: > > 1) if ChallengeResponseAuthentication is set to yes, pam conversation works right with v2, but v1 > returns PAM_CONV_ERR. Moreover, it asks user for weird things, which make user to call me. > 2) if ChallengeResponseAuthentication is set to no, pam conversation takes no place in v1 and v2 > - PAM_CONV_ERR is returned by sshd to pam module. > > Is there any way to implement pam conversation into v1 protocol? If not, it could be nice for v1 > to converse with user in more comprehensible way.In v1, you'd have to use TIS authentication. You have to make sure your client doesn't echo the password, though. (I think all modern clients are conservative and don't echo.) You might end up having to make some small sshd changes to make this work. Frank