This is a discussion on Re: OpenSSH 4.2p1 and PAM - a problem - openssh ; Jeff Blaine wrote: > Darren, any explanation you can give would be great. > [...] > http://www.networksecurityarchive.or.../msg00049.html > > Darren Tucker wrote: >> On Tue, Nov 22, 2005 at 01:33:07PM -0500, Jeff Blaine wrote: [...] >>> The "AFS Password required ...
Jeff Blaine wrote:
> Darren, any explanation you can give would be great.
> Darren Tucker wrote:
>> On Tue, Nov 22, 2005 at 01:33:07PM -0500, Jeff Blaine wrote:
>>> The "AFS Password required but not supplied by user jblaine"
>>> below is bogus. A password was supplied.
>> Does "ssh -o PreferredAuthentications=password yourserver" work?
>> (This requires that PasswordAuthentication be enabled in sshd_config.)
>> If that works, I will explain why. If not, please open an OpenSSH bug
>> at http://bugzilla.mindrot.org and we will see what we can do to help
>> you get it working.
Oops, I meant to get back to answering that and (as usual) got sidetracked.
The basic reason is the way OpenSSH's sshd does PAM authentication for
keyboard-interactive: for various reasons, it forks off a process to
interact with PAM while the parent continues to interact with the
client. The pam_authenticate call is done in this child process.
Most of the time this works fine, however PAM supplies a mechanism to
store module-private information (ie pam_set_data()) which does not work
with this. Your module probably uses it to store the user's credentials
(TGT / password / whatever) which is lost when this subprocess exits,
causing future invocations of the module to complain about its lack.
PasswordAuthentication uses a much simpler (but limited) method to
interact with PAM which does not use a subprocess, so it does not suffer
from this problem. If your modules work OK with this then it is
probably your best solution at the moment: simply disable
ChallengeResponseAuthentication in sshd_config.
Alternatively, you can compile with a #define to use a thread rather
than a process for keyboard-interactive (USE_POSIX_THREADS for <= 4.0p1,
UNSUPPORTED_POSIX_THREADS_HACK for >= 4.1p1), however this is, as you
may gather, unsupported.
The gory details can be found at http://bugzilla.mindrot.org in bug
#688, and in a couple of threads on the openssh-unix-dev list.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.