search for: sshpam_respond

From: "Marco Trevisan" <marco at ubuntu.com> This serie of patches have been already submitted via [1], but i'm sending them again to the ML, to see if they can get some more traction. The patches are already part of Ubuntu openssh since 24.04, and they basically allow proper immediate instruction reporting to clients using PAM (as per RFC4256). This follows the approach

...t;%s> = <%d>", responses[0], authok); - return (authok == 0) ? -1 : 0; + return (authok == 0) ? KbdintResultFailure : KbdintResultSuccess; } static void diff --git a/auth-pam.c b/auth-pam.c index 13c0a792e..5dfa69202 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -990,15 +990,15 @@ sshpam_respond(void *ctx, u_int num, char **resp) switch (ctxt->pam_done) { case 1: sshpam_authenticated = 1; - return (0); + return KbdintResultSuccess; case 0: break; default: - return (-1); + return KbdintResultFailure; } if (num != 1) { error("PAM: expected one response, got %...

...= 1; + break; + case '!': /* Error */ + error("%s", msg + 1); + default: + *num = 0; + **echo_on = 0; + xfree(msg); + ctxt->done = -1; + return (-1); + } + xfree(msg); + return (0); +} - if (nresp > 100) - fatal("%s: too many replies", __func__); +int +sshpam_respond(void *ctx, u_int num, char **resp) +{ + struct sshpam_ctxt *ctxt = ctx; + char *msg; - for (i = 0; i < nresp; i++) { - int j = context_pam2.prompts[i]; + debug3("PAM kbd-int %d responses", num); - resp = packet_get_string(&rlen); - context_pam2.responses[j].resp_retcode = PA...

...t: trying authentication method 'pam' [preauth] Dec 23 07:05:21 server sshd[23109]: Postponed keyboard-interactive for root from 2001:xxx:xxxx:xxx::107 port 48866 ssh2: ED25519 yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy [preauth] Dec 23 07:05:27 server sshd[23109]: debug2: PAM: sshpam_respond entering, 1 responses Dec 23 07:05:27 server sshd[23109]: Postponed keyboard-interactive/pam for root from 2001:xxx:xxxx:xxx::107 port 48866 ssh2 [preauth] Dec 23 07:05:34 server sshd[23109]: debug2: PAM: sshpam_respond entering, 1 responses Dec 23 07:05:34 server sshd(pam_google_authen...

...0; + ctxt->done = 1; + break; + case '!': + error("%s", msg + 1); + default: + *num = 0; + **echo_on = 0; + xfree(msg); + ctxt->done = -1; + return (-1); + } + xfree(msg); + return (0); +} - for (i = 0; i < nresp; i++) { - int j = context_pam2.prompts[i]; +int +sshpam_respond(void *ctx, u_int num, char **resp) +{ + struct sshpam_ctxt *ctxt = ctx; + char *msg; - resp = packet_get_string(&rlen); - context_pam2.responses[j].resp_retcode = PAM_SUCCESS; - context_pam2.responses[j].resp = xstrdup(resp); - xfree(resp); - context_pam2.num_received++; + debug3("P...

...sg); sshbuf_free(buffer); return (0); @@ -944,7 +949,7 @@ sshpam_query(void *ctx, char **name, char **info, *num = 0; **echo_on = 0; free(msg); - ctxt->pam_done = -1; + ctxt->pam_done = SshPamError; sshbuf_free(buffer); return (-1); } @@ -988,10 +993,10 @@ sshpam_respond(void *ctx, u_int num, char **resp) debug2("PAM: %s entering, %u responses", __func__, num); switch (ctxt->pam_done) { - case 1: + case SshPamAuthenticated: sshpam_authenticated = 1; return KbdintResultSuccess; - case 0: + case SshPamNone: break; default: return Kbdi...

http://www.mindrot.org/~djm/openssh/openssh-newpam-20030123.tar.gz Is a snapshot of the new PAM-via-KbdInt authentication support from FreeBSD's OpenSSH tree. Please test this now. I can only surmise by the silence that has greeted my previous requests for testing that the code works perfectly. -d

https://bugzilla.mindrot.org/show_bug.cgi?id=2876 Bug ID: 2876 Summary: PAM_TEXT_INFO and PAM_ERROR_MSG conversation not honoured during PAM authentication Product: Portable OpenSSH Version: 7.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5

...Makefile. (Correct?) When I tried this, I was prompted for a password but when I entered it the server closed the connection. The debug output from the server (from the point of the password prompt) was: Postponed keyboard-interactive for dsteiner from 129.170.18.58 port 45683 ssh2 debug3: mm_sshpam_respond debug3: mm_request_send entering: type 52 debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND debug3: mm_request_receive_expect entering: type 53 debug3: mm_request_receive entering debug3: monitor_read: checking request 52 debug3: mm_answer_pam_respond debug2: PAM: sshpam_respond enteri...

...am_query entering debug3: mm_request_receive entering debug3: ssh_msg_recv entering debug3: mm_request_send entering: type 51 debug3: mm_sshpam_query: pam_query returned 0 debug3: mm_request_receive entering Postponed keyboard-interactive for emillbrandt from 192.168.1.42 port 4825 ssh2 debug3: mm_sshpam_respond debug3: mm_request_send entering: type 52 debug3: monitor_read: checking request 52 debug3: mm_answer_pam_respond debug2: PAM: sshpam_respond entering, 1 responses debug3: ssh_msg_send: type 6 debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND debug3: mm_request_receive_expect entering:...

...quot;; - What is supposed to be the behaviour of ssh when it is used with PAM ? Shall SSh pass on to PAM the exact credentials entered at the prompt (username and passwd) without affecting them (by putting "INCORRECT" in the passwd : buffer_put_cstring(&buffer, badpw); auth-pam.c in sshpam_respond() )? (BTW, this is how I have installed ssh on my linux box : ./configure --with-pam --prefix=/usr --sysconfdir=/etc/ssh make make install) - I found that other OpenSSH user had a similar problem. Is there a workaround ? Thank you for your help. I'm really struggling with this... ! Philip...

...ebug3: mm_request_receive entering Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug3: monitor_read: checking request 52 Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug3: mm_answer_pam_respond Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug2: PAM: sshpam_respond entering, 0 responses Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug3: mm_request_send entering: type 53 Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug3: mm_request_receive entering Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug3: monitor_rea...

Hi. One thing that people seem to want to do with PAM is to deny a login immediately without interacting but return a message to the user. (Some platforms implement, eg, /etc/nologin via PAM this way.) Currently, sshd will just deny the login and the user will not be told why. Attached it a patch that return a keyboard-interactive packet with the message in the "instruction"

I added an EXPLICIT AuthenticationMethods publickey,keyboard-interactive + UsePam yes to sshd_config. Now, at connect attempt I get Password: Verification code: Password: Verification code: Password: ... I.e., It's asking for Password, not accepting pubkey AND when given the password (which is correct), and the GA VerificationCode, it simply repeats the credentials request.

On Tue, 23 Dec 2014, Dmt Ops wrote: > testing goole-authenticator's standalone functionality, it > > > cd google-authenticator/libpam/ > > ./demo > Verification code: 123456 > Login failed > Invalid verification code > > > > fails with an INVALID code, and > > > ./demo > Verification code:

...ug3: ssh_msg_recv entering debug3: ssh_msg_send: type 1 debug3: mm_request_send entering: type 49 debug3: mm_request_receive entering debug3: mm_sshpam_query: pam_query returned 0 Postponed keyboard-interactive for agirardet from 10.65.59.54 port 43168 ssh2 debug3: ssh_msg_recv entering debug3: mm_sshpam_respond debug3: mm_request_send entering: type 50 debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: monitor_read: checking request 50 debug3: mm_answer_pam_respond debug2: PAM: sshpam_respond debug3...

...ov 9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: ssh_msg_recv entering Nov 9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.info] Postponed keyboard-interactive for testuser from 1.2.3.4 port 33457 ssh2 Nov 9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug2: PAM: sshpam_respond entering, 1 responses Nov 9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: ssh_msg_send: type 6 Nov 9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM: sshpam_query entering Nov 9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: ssh_msg_recv enteri...

...g debug3: PAM: sshpam_thread_conv entering, 1 messages debug3: ssh_msg_send: type 1 debug3: ssh_msg_recv entering debug3: mm_request_send entering: type 107 debug3: mm_sshpam_query: pam_query returned 0 [preauth] Postponed keyboard-interactive for admin from ::1 port 50860 ssh2 [preauth] debug3: mm_sshpam_respond [preauth] debug3: mm_request_send entering: type 108 [preauth] debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND [preauth] debug3: mm_request_receive_expect entering: type 109 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_re...

...empty> [preauth] debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] debug2: monitor_read: 4 used once, disabling now debug2: monitor_read: 80 used once, disabling now Postponed keyboard-interactive for root from 172.17.0.1 port 35432 ssh2 [preauth] debug2: PAM: sshpam_respond entering, 1 responses Password: PAM: Authentication failure for root from gateway debug2: auth2_challenge_start: devices <empty> [preauth] debug2: monitor_read: 110 used once, disabling now Failed keyboard-interactive/pam for root from 172.17.0.1 port 35432 ssh2 debug1: userauth-request for u...