search for: sshpam_query

Hi. One thing that people seem to want to do with PAM is to deny a login immediately without interacting but return a message to the user. (Some platforms implement, eg, /etc/nologin via PAM this way.) Currently, sshd will just deny the login and the user will not be told why. Attached it a patch that return a keyboard-interactive packet with the message in the "instruction"

...++i) { buffer_put_cstring(m, prompts[i]); <== fail here! xfree(prompts[i]); buffer_put_int(m, echo_on[i]); } ------- sshd debug log ----------- debug3: PAM: sshpam_init_ctx entering debug3: mm_request_send entering: type 49 debug3: mm_sshpam_query debug3: mm_request_send entering: type 50 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 50 debug3: mm_answer_pam_query debu...

On Tue, 23 Dec 2014, Dmt Ops wrote: > testing goole-authenticator's standalone functionality, it > > > cd google-authenticator/libpam/ > > ./demo > Verification code: 123456 > Login failed > Invalid verification code > > > > fails with an INVALID code, and > > > ./demo > Verification code:

...etdtablesize(); ++i) + if (i != ctxt->sock) + close(i); + sshpam_child(ctxt); + /* not reached */ + exit(1); + } + ctxt->sock = socks[0]; + close(socks[1]); + return (ctxt); +} - nresp = packet_get_int(); /* Number of responses. */ - debug("got %d responses", nresp); +int +sshpam_query(void *ctx, char **name, char **info, + u_int *num, char ***prompts, u_int **echo_on) +{ + struct sshpam_ctxt *ctxt = ctx; + char *msg; + debug3("PAM kbd-int query"); - if (nresp != context_pam2.num_expected) - fatal("%s: Received incorrect number of responses " - &q...

...: sshpam_thread_conv entering, 1 messages Nov 9 10:00:07 sshserver sshd[27977]: [ID 800047 auth.debug] debug3: ssh_msg_send: type 1 Nov 9 10:00:07 sshserver sshd[27977]: [ID 800047 auth.debug] debug3: ssh_msg_recv entering Nov 9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM: sshpam_query entering Nov 9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: ssh_msg_recv entering Nov 9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.info] Postponed keyboard-interactive for testuser from 1.2.3.4 port 33457 ssh2 Nov 9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] de...

...for (i = 0; i < getdtablesize(); ++i) + if (i != ctxt->sock) + close(i); + sshpam_child(ctxt); + /* not reached */ + exit(1); + } + ctxt->sock = socks[0]; + close(socks[1]); + return (ctxt); } -void -input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt) +int +sshpam_query(void *ctx, char **name, char **info, + u_int *num, char ***prompts, u_int **echo_on) { - Authctxt *authctxt = ctxt; - unsigned int nresp = 0, rlen = 0, i = 0; - char *resp; + struct sshpam_ctxt *ctxt = ctx; + char *msg; - if (authctxt == NULL) - fatal("input_userauth_info_response_pam:...

...I have chosen to comment out the guts of routine import_environments() if USE_POSIX_PTHREADS is not defined as a solution, reasoning that this will also work if that routine a called by other parts of the code in some later version. I could have just commented out the single call to that routine in sshpam_query() as an alternative. Either way will work. diff -r -c old/auth-pam.c new/auth-pam.c *** old/auth-pam.c Tue Feb 17 05:20:08 2004 --- new/auth-pam.c Thu Feb 26 23:18:05 2004 *************** *** 201,206 **** --- 201,207 ---- debug3("PAM: %s entering", __func__); + #ifndef USE_POSIX...

https://bugzilla.mindrot.org/show_bug.cgi?id=2876 Bug ID: 2876 Summary: PAM_TEXT_INFO and PAM_ERROR_MSG conversation not honoured during PAM authentication Product: Portable OpenSSH Version: 7.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5

...c 13 Nov 2003 08:52:31 -0000 1.78 +++ auth-pam.c 13 Nov 2003 09:35:56 -0000 @@ -52,6 +52,8 @@ RCSID("$Id: auth-pam.c,v 1.78 2003/11/13 #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; #define __unused @@ -421,13 +423,9 @@ sshpam_query(void *ctx, char **name, cha case PAM_AUTH_ERR: if (**prompts != NULL) { /* drain any accumulated messages */ -#if 0 /* XXX - not compatible with privsep */ - packet_start(SSH2_MSG_USERAUTH_BANNER); - packet_put_cstring(**prompts); - packet_put_cstring(""); - packet...

...ting the authentication (client sends USERAUTH_REQUEST > instead of USERAUTH_INFO_RESPONSE)? > > In auth-pam.c:sshpam_thread_conv(), line 148, the two cases ECHO_OFF and > ECHO_ON should be combined into a single case, as should the ERROR_MSG > and TEXT_INFO cases; just as you do in sshpam_query(). > > The code as a whole /is/ far cleaner than what exists currently, so that > is a big plus. > > I dislike that kbdint is run via auth2_challenge() and all the refs > to "challenge". It's not necessarily a challenge. > > /fc

...entering debug3: monitor_read: checking request 52 debug3: mm_answer_pam_respond debug2: PAM: sshpam_respond entering, 1 responses debug3: ssh_msg_send: type 6 debug3: mm_request_send entering: type 53 debug3: mm_request_receive entering debug3: mm_sshpam_respond: pam_respond returned 1 debug3: mm_sshpam_query debug3: mm_request_send entering: type 50 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: monitor_read: checking request 50 debug3: mm_answer_pam_query debug3: PAM: sshpam_query entering debug...

...NIT_CTX debug3: mm_answer_pam_init_ctx debug3: mm_request_receive_expect entering: type 49 debug3: PAM: sshpam_init_ctx entering debug3: mm_request_receive entering debug3: mm_request_send entering: type 49 debug3: PAM: sshpam_thread_conv entering, 1 messages debug3: ssh_msg_send: type 1 debug3: mm_sshpam_query debug3: ssh_msg_recv entering debug3: mm_request_receive entering debug3: mm_request_send entering: type 50 debug3: monitor_read: checking request 50 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_answer_pam_query debug3: mm_request_receive_expect entering: type 51 debug3: PA...

..._answer_authserv: service=ssh-connection, style= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 104 debug3: mm_answer_pam_init_ctx debug3: PAM: sshpam_init_ctx entering debug3: mm_request_send entering: type 105 debug3: mm_sshpam_query [preauth] debug3: mm_request_send entering: type 106 [preauth] debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] debug3: mm_request_receive_expect entering: type 107 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read:...

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

Hello all, The long-mooted PAM merge from FreeBSD is starting _now_. This replaces the PAM password auth kludge that we have used until now with a discrete challenge-response module. This module is invoked via keyboard-interactive for protocol 2 or TIS auth for protocol 1. Warning: this is a large change and will probably break things. It has only been tested with basic password auth modules and

...nd entering: type 46 debug3: monitor_read: checking request 46 debug3: mm_answer_pam_init_ctx debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX debug3: mm_request_receive_expect entering: type 47 debug3: mm_request_receive entering debug3: mm_request_send entering: type 47 debug3: mm_sshpam_query debug3: mm_request_send entering: type 48 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_request_receive_expect entering: type 49 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 48 debug3: mm_answer_pam_query debu...

...=[<unknown>] rhost=[127.0.0.1] Oct 2 20:06:35 linux sshd[8860]: debug3: PAM: sshpam_thread_conv entering, 1 messages Oct 2 20:06:35 linux sshd[8860]: debug3: ssh_msg_send: type 1 Oct 2 20:06:35 linux sshd[8860]: debug3: ssh_msg_recv entering Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_query entering Oct 2 20:06:35 linux sshd[8856]: debug3: ssh_msg_recv entering Oct 2 20:06:35 linux sshd[8856]: Postponed keyboard-interactive for invalid user john from 127.0.0.1 port 32986 ssh2 Oct 2 20:06:35 linux sshd[8856]: debug2: auth2_challenge_start: devices <empty>Oct 2 20:06:35 linu...

On Sun, Dec 21, 2014 at 5:25 PM, Damien Miller <djm at mindrot.org> wrote: > On Fri, 19 Dec 2014, Dmt Ops wrote: > > > I added an EXPLICIT > > > > AuthenticationMethods publickey,keyboard-interactive > > + UsePam yes > > > > to sshd_config. Now, at connect attempt I get > > > > Password: > > Verification code: > >

...2_challenge: user=EXAMPLE+user1 devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices <empty> debug1: auth2_challenge_start: trying authentication method 'pam' debug3: PAM: sshpam_init_ctx entering debug3: PAM: sshpam_query entering debug3: ssh_msg_recv entering debug3: PAM: sshpam_thread_conv entering, 1 messages debug3: ssh_msg_send: type 1 debug3: ssh_msg_recv entering debug3: send packet: type 60 Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2 smb.conf: [global]     netbi...

...1 devs= > debug1: kbdint_alloc: devices 'pam' > debug2: auth2_challenge_start: devices pam > debug2: kbdint_next_device: devices <empty> > debug1: auth2_challenge_start: trying authentication method 'pam' > debug3: PAM: sshpam_init_ctx entering > debug3: PAM: sshpam_query entering > debug3: ssh_msg_recv entering > debug3: PAM: sshpam_thread_conv entering, 1 messages > debug3: ssh_msg_send: type 1 > debug3: ssh_msg_recv entering > debug3: send packet: type 60 > Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114 > port 45018 ssh...