SSHD doesn't allow PAM module to use it's own prompt for password

[Darren Tucker]

On Thu, Apr 27, 2006 at 12:17:21PM -0700, Kent Wu wrote:
> Hi guys,
> 
> 	I'm trying to write up my own PAM module to authenticate users
> coming in from ssh channel. This module was working pretty well until
> lately I wanted to enhance it a bit.
> 
> 	What I tried to achieve is that when the system is in a bad
> state (detected by my PAM module), I want to prompt the user for a
> special pre-defined password for recovery purpose; the prompt I wanted
> is like "system is unstable, pls provide recovery password:". I passed
> this message through the pam_conv structure which I got by calling: 
> 
> pam_get_item(pamh, PAM_CONV, &void_conv);
> 
> However this prompt never got showed up in my log-in screen. Here I
> specified the msg_stype as either PAM_PROMPT_ECHO_OFF or
> PAM_PROMPT_ECHO_ON however none of this works.
> 
> So I'm thinking even though PAM has defined this conversation structure
> however looks like SSHD doesn't really honor it well enough. Am I
> missing something here or is there a workaround for me to achieve what I
> want?

Which ssh server software and version are you running?

If it's OpenSSH, you need to be using keyboard-interactive authentication
in sshd for this soft of thing to work.  Make sure it's enabled in the
server's sshd_config ("ChallengeResponseAuthentication yes") then try
"ssh -o preferredauthentications=keyboard-interactive yourserver".
If that doesn't work then it's probably a bug somewhere, possibly in sshd.

In SSH in general, basic password authentication within the protocol
doesn't provide enough flexibility to do what you want.  (It's possible
for sshd to hack around some of the limites by using things like SSHv2
banner packets, which OpenSSH's sshd does for some things.)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.