search for: sshpam_query

From: "Marco Trevisan" <marco at ubuntu.com> This serie of patches have been already submitted via [1], but i'm sending them again to the ML, to see if they can get some more traction. The patches are already part of Ubuntu openssh since 24.04, and they basically allow proper immediate instruction reporting to clients using PAM (as per RFC4256). This follows the approach

...if +typedef int SshPamDone; +#define SshPamError -1 +#define SshPamNone 0 +#define SshPamAuthenticated 1 + struct pam_ctxt { sp_pthread_t pam_thread; int pam_psock; int pam_csock; - int pam_done; + SshPamDone pam_done; }; static void sshpam_free_ctx(void *); @@ -904,7 +909,7 @@ sshpam_query(void *ctx, char **name, char **info, **prompts = NULL; *num = 0; **echo_on = 0; - ctxt->pam_done = -1; + ctxt->pam_done = SshPamError; free(msg); sshbuf_free(buffer); return 0; @@ -931,7 +936,7 @@ sshpam_query(void *ctx, char **name, char **info, impor...

Hi. One thing that people seem to want to do with PAM is to deny a login immediately without interacting but return a message to the user. (Some platforms implement, eg, /etc/nologin via PAM this way.) Currently, sshd will just deny the login and the user will not be told why. Attached it a patch that return a keyboard-interactive packet with the message in the "instruction"

...++i) { buffer_put_cstring(m, prompts[i]); <== fail here! xfree(prompts[i]); buffer_put_int(m, echo_on[i]); } ------- sshd debug log ----------- debug3: PAM: sshpam_init_ctx entering debug3: mm_request_send entering: type 49 debug3: mm_sshpam_query debug3: mm_request_send entering: type 50 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 50 debug3: mm_answer_pam_query debu...

On Tue, 23 Dec 2014, Dmt Ops wrote: > testing goole-authenticator's standalone functionality, it > > > cd google-authenticator/libpam/ > > ./demo > Verification code: 123456 > Login failed > Invalid verification code > > > > fails with an INVALID code, and > > > ./demo > Verification code:

...etdtablesize(); ++i) + if (i != ctxt->sock) + close(i); + sshpam_child(ctxt); + /* not reached */ + exit(1); + } + ctxt->sock = socks[0]; + close(socks[1]); + return (ctxt); +} - nresp = packet_get_int(); /* Number of responses. */ - debug("got %d responses", nresp); +int +sshpam_query(void *ctx, char **name, char **info, + u_int *num, char ***prompts, u_int **echo_on) +{ + struct sshpam_ctxt *ctxt = ctx; + char *msg; + debug3("PAM kbd-int query"); - if (nresp != context_pam2.num_expected) - fatal("%s: Received incorrect number of responses " - &q...

...: sshpam_thread_conv entering, 1 messages Nov 9 10:00:07 sshserver sshd[27977]: [ID 800047 auth.debug] debug3: ssh_msg_send: type 1 Nov 9 10:00:07 sshserver sshd[27977]: [ID 800047 auth.debug] debug3: ssh_msg_recv entering Nov 9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM: sshpam_query entering Nov 9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: ssh_msg_recv entering Nov 9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.info] Postponed keyboard-interactive for testuser from 1.2.3.4 port 33457 ssh2 Nov 9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] de...

...for (i = 0; i < getdtablesize(); ++i) + if (i != ctxt->sock) + close(i); + sshpam_child(ctxt); + /* not reached */ + exit(1); + } + ctxt->sock = socks[0]; + close(socks[1]); + return (ctxt); } -void -input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt) +int +sshpam_query(void *ctx, char **name, char **info, + u_int *num, char ***prompts, u_int **echo_on) { - Authctxt *authctxt = ctxt; - unsigned int nresp = 0, rlen = 0, i = 0; - char *resp; + struct sshpam_ctxt *ctxt = ctx; + char *msg; - if (authctxt == NULL) - fatal("input_userauth_info_response_pam:...

...I have chosen to comment out the guts of routine import_environments() if USE_POSIX_PTHREADS is not defined as a solution, reasoning that this will also work if that routine a called by other parts of the code in some later version. I could have just commented out the single call to that routine in sshpam_query() as an alternative. Either way will work. diff -r -c old/auth-pam.c new/auth-pam.c *** old/auth-pam.c Tue Feb 17 05:20:08 2004 --- new/auth-pam.c Thu Feb 26 23:18:05 2004 *************** *** 201,206 **** --- 201,207 ---- debug3("PAM: %s entering", __func__); + #ifndef USE_POSIX...

https://bugzilla.mindrot.org/show_bug.cgi?id=2876 Bug ID: 2876 Summary: PAM_TEXT_INFO and PAM_ERROR_MSG conversation not honoured during PAM authentication Product: Portable OpenSSH Version: 7.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5

...c 13 Nov 2003 08:52:31 -0000 1.78 +++ auth-pam.c 13 Nov 2003 09:35:56 -0000 @@ -52,6 +52,8 @@ RCSID("$Id: auth-pam.c,v 1.78 2003/11/13 #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; #define __unused @@ -421,13 +423,9 @@ sshpam_query(void *ctx, char **name, cha case PAM_AUTH_ERR: if (**prompts != NULL) { /* drain any accumulated messages */ -#if 0 /* XXX - not compatible with privsep */ - packet_start(SSH2_MSG_USERAUTH_BANNER); - packet_put_cstring(**prompts); - packet_put_cstring(""); - packet...

...ting the authentication (client sends USERAUTH_REQUEST > instead of USERAUTH_INFO_RESPONSE)? > > In auth-pam.c:sshpam_thread_conv(), line 148, the two cases ECHO_OFF and > ECHO_ON should be combined into a single case, as should the ERROR_MSG > and TEXT_INFO cases; just as you do in sshpam_query(). > > The code as a whole /is/ far cleaner than what exists currently, so that > is a big plus. > > I dislike that kbdint is run via auth2_challenge() and all the refs > to "challenge". It's not necessarily a challenge. > > /fc

...entering debug3: monitor_read: checking request 52 debug3: mm_answer_pam_respond debug2: PAM: sshpam_respond entering, 1 responses debug3: ssh_msg_send: type 6 debug3: mm_request_send entering: type 53 debug3: mm_request_receive entering debug3: mm_sshpam_respond: pam_respond returned 1 debug3: mm_sshpam_query debug3: mm_request_send entering: type 50 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: monitor_read: checking request 50 debug3: mm_answer_pam_query debug3: PAM: sshpam_query entering debug...

...NIT_CTX debug3: mm_answer_pam_init_ctx debug3: mm_request_receive_expect entering: type 49 debug3: PAM: sshpam_init_ctx entering debug3: mm_request_receive entering debug3: mm_request_send entering: type 49 debug3: PAM: sshpam_thread_conv entering, 1 messages debug3: ssh_msg_send: type 1 debug3: mm_sshpam_query debug3: ssh_msg_recv entering debug3: mm_request_receive entering debug3: mm_request_send entering: type 50 debug3: monitor_read: checking request 50 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_answer_pam_query debug3: mm_request_receive_expect entering: type 51 debug3: PA...

..._answer_authserv: service=ssh-connection, style= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 104 debug3: mm_answer_pam_init_ctx debug3: PAM: sshpam_init_ctx entering debug3: mm_request_send entering: type 105 debug3: mm_sshpam_query [preauth] debug3: mm_request_send entering: type 106 [preauth] debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] debug3: mm_request_receive_expect entering: type 107 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read:...

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

Hello all, The long-mooted PAM merge from FreeBSD is starting _now_. This replaces the PAM password auth kludge that we have used until now with a discrete challenge-response module. This module is invoked via keyboard-interactive for protocol 2 or TIS auth for protocol 1. Warning: this is a large change and will probably break things. It has only been tested with basic password auth modules and

...nd entering: type 46 debug3: monitor_read: checking request 46 debug3: mm_answer_pam_init_ctx debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX debug3: mm_request_receive_expect entering: type 47 debug3: mm_request_receive entering debug3: mm_request_send entering: type 47 debug3: mm_sshpam_query debug3: mm_request_send entering: type 48 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_request_receive_expect entering: type 49 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 48 debug3: mm_answer_pam_query debu...

...=[<unknown>] rhost=[127.0.0.1] Oct 2 20:06:35 linux sshd[8860]: debug3: PAM: sshpam_thread_conv entering, 1 messages Oct 2 20:06:35 linux sshd[8860]: debug3: ssh_msg_send: type 1 Oct 2 20:06:35 linux sshd[8860]: debug3: ssh_msg_recv entering Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_query entering Oct 2 20:06:35 linux sshd[8856]: debug3: ssh_msg_recv entering Oct 2 20:06:35 linux sshd[8856]: Postponed keyboard-interactive for invalid user john from 127.0.0.1 port 32986 ssh2 Oct 2 20:06:35 linux sshd[8856]: debug2: auth2_challenge_start: devices <empty>Oct 2 20:06:35 linu...

On Sun, Dec 21, 2014 at 5:25 PM, Damien Miller <djm at mindrot.org> wrote: > On Fri, 19 Dec 2014, Dmt Ops wrote: > > > I added an EXPLICIT > > > > AuthenticationMethods publickey,keyboard-interactive > > + UsePam yes > > > > to sshd_config. Now, at connect attempt I get > > > > Password: > > Verification code: > >