Robert Frank wrote:
Hi,
I'm currently writing a pam which uses an external serfvice to
authenticate users. For this to work, I need to have the clear text
password the user entered at the keyboard. The pam then asks the
external authority, using the login and the password obtained, to
check if the user may login or not.
This works fine for gdm and console login, but fails for ssh.
I've tried several different settings in sshd (PasswordAuthentication
yes/no, ChallengeResponseAuthentication yes/no, UsePAM yes), and ssh
does use my prompt I set in the challenge/response of the pam, but
all I ever get back as password is:
INCORRECT (sometimes in parentheses).
That happens when you don't have a local account for the user attempting
to log in (ie getpwnam() doesn't work) or the account is otherwise
disabled (eg not in AllowUsers).
The theory is that this is done to prevent info leaks (eg allowing a
password to be verified even though the login is disabled).
See:
http://bugzilla.mindrot.org/show_bug.cgi?id=1215
http://bugzilla.mindrot.org/show_bug.cgi?id=1269
What settings are necessary to get the clear text password? Where is
the pam interaction of ssh (openssh) documented?
I'm using OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct 2005 on FC5.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
