Corvus Corax
2019-Mar-14 11:18 UTC
Hi. I need to necro an old feature request from May 2000: Option PAMServiceName
Hello OpenSSH devs. My name is Eric (aka Corvus Corax), I'm currently working as a PhD student at the Max Planck Institute for Intelligent Systems in Germany. I wanted to setup 2 factor authentication with OpenSSH using PAM. but I ran into the following issue requiring a really dirty hack/workaround: https://pastebin.com/SuCG6dft Effectively SSHD is executing two different authentications - one for password (alternative to ssh key) and one for a challenge response 2 factor token, like this: AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive Both authentication methods use the PAM (auth) aspect to let PAM handle the actual authentication. Yet OpenSSH only uses a single service name and as such only a single configuration is possible, requiring really dirty hacks in PAM to distinguish from which context PAM is being called. (In fact, I think the described hack doesn't even work in the latest openssh-portable, making this impossible) The much more elegant solution would be a feature in OpenSSH to set the PAMServiceName based on the authentication method used. Turns out, I am not the first person requesting this. The first feature request (with patch) I found in https://marc.info/?l=openssh-unix-dev&m=95840880026194&w=2 in the archive. The issue came up again in bug https://bugzilla.mindrot.org/show_bug.cgi?id=1041 in 2005 And then in the 2013 to 2015 period there's a number of emails on the list starting with https://marc.info/?l=openssh-unix-dev&m=136846294704608&w=2 and related to bug https://bugzilla.mindrot.org/show_bug.cgi?id=2246 Of course I only found all this after I already did my own implementation, which I put both on github and on bugzilla: https://github.com/openssh/openssh-portable/pull/122 https://bugzilla.mindrot.org/show_bug.cgi?id=2980 Sadly, the old implementation from bug 2246 (which is still open) is no longer compatible with the latest openssh-portable. But I was able to take some of the issues/suggestions raised with that bug and apply it to my re-implementation. (Mainly related to auth-pam internal state handling when reinitiating the pam session) Personally, I think my approach to solving this is slightly superior (although its also more lazy) than the approach taken in bug 2246 It also has the advantage that it works in the latest openssh-portable. But I would really like to get some feedback on this. best regards, Eric