Robert Frank wrote:
> Hi,
>
> I'm currently writing a pam which uses an external serfvice to
> authenticate users. For this to work, I need to have the clear text
> password the user entered at the keyboard. The pam then asks the
> external authority, using the login and the password obtained, to
> check if the user may login or not.
>
> This works fine for gdm and console login, but fails for ssh.
> I've tried several different settings in sshd (PasswordAuthentication
>
> yes/no, ChallengeResponseAuthentication yes/no, UsePAM yes), and ssh
> does use my prompt I set in the challenge/response of the pam, but
> all I ever get back as password is:
>
> INCORRECT (sometimes in parentheses).


That happens when you don't have a local account for the user attempting
to log in (ie getpwnam() doesn't work) or the account is otherwise
disabled (eg not in AllowUsers).

The theory is that this is done to prevent info leaks (eg allowing a
password to be verified even though the login is disabled).

See:
http://bugzilla.mindrot.org/show_bug.cgi?id=1215
http://bugzilla.mindrot.org/show_bug.cgi?id=1269

> What settings are necessary to get the clear text password? Where is
> the pam interaction of ssh (openssh) documented?
>
> I'm using OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct 2005 on FC5.


--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.