Jeff Blaine wrote:
> Darren, any explanation you can give would be great.
> [...]
> http://www.networksecurityarchive.or.../msg00049.html
>
> Darren Tucker wrote:
>> On Tue, Nov 22, 2005 at 01:33:07PM -0500, Jeff Blaine wrote:

[...]
>>> The "AFS Password required but not supplied by user jblaine"
>>> below is bogus. A password was supplied.

>>
>>
>> Does "ssh -o PreferredAuthentications=password yourserver" work?
>> (This requires that PasswordAuthentication be enabled in sshd_config.)
>>
>> If that works, I will explain why. If not, please open an OpenSSH bug
>> at http://bugzilla.mindrot.org and we will see what we can do to help
>> you get it working.


Oops, I meant to get back to answering that and (as usual) got sidetracked.

The basic reason is the way OpenSSH's sshd does PAM authentication for
keyboard-interactive: for various reasons, it forks off a process to
interact with PAM while the parent continues to interact with the
client. The pam_authenticate call is done in this child process.

Most of the time this works fine, however PAM supplies a mechanism to
store module-private information (ie pam_set_data()) which does not work
with this. Your module probably uses it to store the user's credentials
(TGT / password / whatever) which is lost when this subprocess exits,
causing future invocations of the module to complain about its lack.

PasswordAuthentication uses a much simpler (but limited) method to
interact with PAM which does not use a subprocess, so it does not suffer
from this problem. If your modules work OK with this then it is
probably your best solution at the moment: simply disable
ChallengeResponseAuthentication in sshd_config.

Alternatively, you can compile with a #define to use a thread rather
than a process for keyboard-interactive (USE_POSIX_THREADS for <= 4.0p1,
UNSUPPORTED_POSIX_THREADS_HACK for >= 4.1p1), however this is, as you
may gather, unsupported.

The gory details can be found at http://bugzilla.mindrot.org in bug
#688, and in a couple of threads on the openssh-unix-dev list.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.