Hi again,


sorry, I'm afraid I don't understand how this can help to this subject.
Mainly because I don't see the relation between the pam-test and the sshd or
my module. Probably you wanted me to make something different, that is what
I have run:


user@ubuntu804desktop:~/Desktop$ sudo ./pam-test-harness -T -v
[sudo] password for user:
0.00 $Id: pam-test-harness.c,v 1.31 2007/08/19 02:27:40 dtucker Exp $
0.00 conversation struct {conv=0x8049119, appdata_ptr=0x804bb78}
0.00 pam_start(login, (NULL), &conv, &pamh)
0.01 = 0 (Success)
0.01 pam_get_item(pamh, PAM_SERVICE, ...)
0.01 = 0 (Success)
0.01 PAM_SERVICE = login (unchanged)
0.01 pam_set_item(pamh, PAM_TTY, "ssh")
0.01 = 0 (Success)
0.01 pam_set_item(pamh, PAM_RHOST, "ubuntu804desktop")
0.01 = 0 (Success)
0.01 pam_set_item(pamh, PAM_RUSER, "user")
0.01 = 0 (Success)
0.01 pam_authenticate(pamh, 0x0)
0.01 conversation called with 1 messages data 0x804bb78
0.01 PROMPT_ECHO_ON: login:user
2.53 [conversation function returned]
2.53 conversation called with 1 messages data 0x804bb78
2.53 PROMPT_ECHO_OFF: Password: user
3.44 [conversation function returned]
3.44 = 0 (Success)
3.44 pam_acct_mgmt(pamh, 0x0)
3.44 = 0 (Success)
3.44 pam_open_session(pamh, 0x0)
3.45 conversation called with 1 messages data 0x804bb78
3.45 TEXT_INFO: Last login: Thu Nov 6 19:15:02 EST 2008 from
localhost on pts/5
3.45 conversation called with 1 messages data 0x804bb78
3.45 TEXT_INFO: Linux ubuntu804desktop 2.6.24-21-generic #1 SMP Tue
Oct 21 23:43:45 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
3.45 = 0 (Success)
3.45 pam_setcred(pamh, 0x0)
3.45 = 0 (Success)
3.45 pam_get_item(pamh, PAM_SERVICE, ...)
3.45 = 0 (Success)
3.45 PAM_SERVICE = login (unchanged)
3.45 pam_get_item(pamh, PAM_USER, ...)
3.45 = 0 (Success)
3.45 PAM_USER = user (CHANGED)
3.45 pam_get_item(pamh, PAM_TTY, ...)
3.45 = 0 (Success)
3.45 PAM_TTY = ssh (unchanged)
3.45 Standard environment variables:
3.45 PAM environment variables:
3.45
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
3.45 LANG=en_US.UTF-8
3.45 MAIL=/var/mail/user
3.45 uid 0 euid 0 gid 0 egid 0
3.45 pam_close_session(pamh, 0)
3.45 = 0 (Success)
3.45 pam_end(pamh, 0)
3.45 = 0 (Success)




> It should, but having said that it would only work for

keyboard-interactive and PAM can be invoked for other auth types A >
(password, for the auth stack or any, for the account stack). Banner
messages can be sent at any time before
> authentication is complete (that's why they're used for this).


Yes, that's fine, we only want it working with keyboard-interactive and
PAM. I wanted to ask you in the last email: what are "banner messages" in a
PAM context?? I mean, as far as I know the only way to send information
messages from a PAM module is PAM conversation (
http://linux.die.net/man/3/pam_conv conv function with PAM_TEXT_INFO ). I
didn't find any other way... I'm wrong?

I have seen that pam_info uses this conv in the subsequent calls...

Thanks





On Fri, Nov 7, 2008 at 12:38 AM, Darren Tucker wrote:

> Julián de Navascués wrote:
> [...]
>
>> Is the sshd able to recieve a info message from PAM (as a PAM aware
>> app in a PAM conversation) and send it immediately to the SSH client
>> (as a SSH server in the middle of a keyboard interactive
>> authentication) ???
>>

>
> It should, but having said that it would only work for keyboard-interactive
> and PAM can be invoked for other auth types (password, for the auth stackor
> any, for the account stack). Banner messages can be sent at any time before
> authentication is complete (that's why they're used for this).
>>
>>




>>> Has anybody did this before? I know it sounds complicated or even

>> absurd, but we want it (and we dont want to patch SSH server or
>> client).
>>

> [...]
>
> I will look at this but it would be easier if you can supply the output
> from the diag tool I asked for:
>
> Could you please you compile and run (as root) this little test program
>> to show what PAM's doing and post the output? (Sanity checking the code
>> first is recommended. It doesn't set noecho so you want to make sure
>> there's nobody watching over shoulders, and obviously clip any sensitive
>> bits from the output.)
>>
>> http://www.zip.com.au/~dtucker/patch...test-harness.c
>>

>
> (addendum: if the timing is important to you please add the -v option to
> enable timestamps)
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev