PAM Openssh-3.9.1 user prompt behavior - SSH

This is a discussion on PAM Openssh-3.9.1 user prompt behavior - SSH ; Hello People I have setup a solaris 9 box with openssh-3.9.1 with RSA. My problem is this, i am trying to mimic the behavior of ssh prompt with pam just the way it works without pam. This is what i ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: PAM Openssh-3.9.1 user prompt behavior

  1. PAM Openssh-3.9.1 user prompt behavior

    Hello People
    I have setup a solaris 9 box with openssh-3.9.1 with RSA. My problem
    is this, i am trying to mimic the behavior of ssh prompt with pam just
    the way it works without pam. This is what i have without pam,
    once i try ssh into the box and put wrong passcode the first time , it
    prompts me to put passcode again

    ssh -l name machinename
    PASSCODE-[wrong input]
    next prompt
    PASSCODE

    but once i enable pam, the prompt i get is
    ssh -l name machinename
    PASSCODE-[wrong input]
    password:

    I beleive it has something to do with
    Authentications that can continue:
    publickey,password,keyboard-interactive

    Any help is greatly appreciated.
    Thanks
    Unix Learner


  2. Re: PAM Openssh-3.9.1 user prompt behavior

    In article <1131664891.203835.233530@g14g2000cwa.googlegroups. com>
    jsahiwal@gmail.com writes:

    > I have setup a solaris 9 box with openssh-3.9.1 with RSA.


    I assume you mean RSA the company (e.g. its SecurID stuff) rather than
    RSA the crypto algorithm.

    > My problem
    >is this, i am trying to mimic the behavior of ssh prompt with pam just
    > the way it works without pam. This is what i have without pam,
    >once i try ssh into the box and put wrong passcode the first time , it
    >prompts me to put passcode again
    >
    >ssh -l name machinename
    >PASSCODE-[wrong input]
    >next prompt
    >PASSCODE
    >
    >but once i enable pam, the prompt i get is
    >ssh -l name machinename
    >PASSCODE-[wrong input]
    >password:


    This would seem to be an issue with your PAM setup - if your PAM module
    should reprompt, it should be handled within PAM. The application (i.e.
    sshd in this case) will normally (always?) call PAM only once - if it
    gets a failure reply from PAM, that's it. (Of course ssh(d) may use
    non-PAM-based authentication methods too.)

    One possibility is that the above is the result of your PAM config being
    set up to cycle through both your "RSA" module and the standard "pam_unix"
    one, and the latter doing its own prompting rather than using the
    password already given - though I would expect a prompt of "Password:"
    rather than "password:" in that case.

    --Per Hedeland
    per@hedeland.org

+ Reply to Thread