From owner-freebsd-questions@FreeBSD.ORG Tue Sep 25 13:17:58 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C02EC16A418 for ; Tue, 25 Sep 2007 13:17:58 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.231]) by mx1.freebsd.org (Postfix) with ESMTP id 28F2213C45D for ; Tue, 25 Sep 2007 13:17:57 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: by hu-out-0506.google.com with SMTP id 28so989168hub for ; Tue, 25 Sep 2007 06:17:56 -0700 (PDT) Received: by 10.78.138.14 with SMTP id l14mr3387262hud.1190726275179; Tue, 25 Sep 2007 06:17:55 -0700 (PDT) Received: from smtp.home.rakhesh.com ( [82.178.138.182]) by mx.google.com with ESMTPS id 35sm3379570huc.2007.09.25.06.17.52 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2007 06:17:54 -0700 (PDT) Received: from dogmatix.home.rakhesh.com (dogmatix.home.rakhesh.com [192.168.17.31]) by smtp.home.rakhesh.com (Postfix) with ESMTP id 3AA841140D for ; Tue, 25 Sep 2007 17:15:17 +0400 (GST) Date: Tue, 25 Sep 2007 17:15:18 +0400 (GST) X-X-Sender: rakhesh@dogmatix.home.rakhesh.com To: freebsd-questions@freebsd.org In-Reply-To: Message-ID: <20070925164151.E85055@dogmatix.home.rakhesh.com> References: <20070925150058.J79029@dogmatix.home.rakhesh.com> X-Blog: http://rakhesh.com/ X-Notes: http://rakhesh.net/ MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed From: Rakhesh Sasidharan Subject: Re: Confusion on SSH and PAM X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2007 13:17:58 -0000 Christian Baer wrote: > On Tue, 25 Sep 2007 15:56:22 +0400 (GST) Rakhesh Sasidharan wrote: > >> Any ideas or nudges in the right direction as to why this is happening? >> Looks like I've understood the interaction between SSH and PAM wrong here, >> so would appreciate some enlightenment. > > I'm not sure if I can offer any enlightenment here, but you can have my 2 > cents. :-) I don't mind enlightenment that can be got for 2 cents! :-) > This is one of these things with computer logic. :-) You have told the > sshd that a root login vai PAM is not ok, only via private key. PAM is > activated just the same (and probably works for other users). The login > follows a certain order... > > > 1 Ask for username > 2 Did we get a key? If not, goto 5 > 3 Is the key ok? If not, goto 5 > 4 Let user login, exit authentification > 5 Is PAM globally on? If not exit > 6 Ask for password > 7 Is the password ok? If not goto 6 max 2 times, after that exit > 8 Let user login, exit ... snip ... > Your problem seems to be from steps 5 to 7. After the authentification by > key fails, the sshd just goes to the next step, which is the password. For > security reasons, the communication "inside" is a bit brief. PAM only gets > the answer "not authenticated" and because the reason isn't an issue, the > user is asked for the password again. The point is that the sshd just > refuses your login each time, because a password just isn't enough. I see. I thought the interaction between SSHD and PAM was that SSHD tells PAM to authenticate on its behalf, PAM replies with a PASS/ FAIL depending on the final result of its modules, and SSHD allows/ disallows based on this result. But from what you say, I get the impression that SSHD can ask PAM to re-try even if PAM replies with a PASS ... that's kind of futile, isn't it? Why doesn't SSHD just take the PASS result and deny the user straightaway instead of making PAM retry twice? Here's something else that I tried. There's a PAM module for CAPTCHA. (http://www.semicomplete.com/projects/pam_captcha/ in case someone's interested). I modified my PAM config to include that too before the pam_unix module. -----8<--------- auth required pam_nologin.so no_warn auth requisite /usr/local/lib/pam_captcha.so math randomstring auth required pam_unix.so try_first_pass account required pam_login_access.so account required pam_unix.so session required pam_permit.so password required pam_unix.so -----8<--------- Following our previous logic, shouldn't pam_captcha get invoked, verify through CAPTCHA, pass onto pam_unix to get password, pass result to SSH, fail, and restart with pam_captcha and pam_unix for 2 more times? But it does not happen that way! Instead, now, pam_captcha does the looping for 2 more times, and even after successfully entering the CAPTCHA strings root login is denied. Strange. pam_unix is not even called for the password! When PAM is used to authenticate for SSHD, is it not that PAM goes through all its modules and *then* passes the result to SSH? Or are there any subtler interactions ... each module passes its result to SSH and their behaviour is influenced by SSHD's reply? > I know, crappy algorithem that remindes of BASIC a bit. In this case it > should do the job, though. Please forget that the word "goto" exists in > other languages too (even Java). :-) > :-) Regards, - Rakhesh http://rakhesh.net/