Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: sshd, pam and clear text

from [Darren Tucker] Network Security [Permanent Link]
Subject: Re: sshd, pam and clear text
Date: Fri, 18 May 2007 08:05:45 +1000
Robert Frank wrote: 
Hi,

I'm currently writing a pam which uses an external serfvice to
authenticate users. For this to work, I need to have the clear text
password the user entered at the keyboard. The pam then asks the
external authority, using the login and the password obtained, to
check if the user may login or not.

This works fine for gdm and  console login, but fails for ssh.
I've tried several different settings in sshd (PasswordAuthentication

yes/no, ChallengeResponseAuthentication yes/no, UsePAM yes), and ssh
does use my prompt I set in the challenge/response of the pam, but
all I ever get back as password is:

INCORRECT (sometimes in parentheses).

That happens when you don't have a local account for the user attempting to log in (ie getpwnam() doesn't work) or the account is otherwise disabled (eg not in AllowUsers).

The theory is that this is done to prevent info leaks (eg allowing a password to be verified even though the login is disabled).

See:
http://bugzilla.mindrot.org/show_bug.cgi?id=1215
http://bugzilla.mindrot.org/show_bug.cgi?id=1269

What settings are necessary to get the clear text password? Where is
the pam interaction of ssh (openssh) documented?

I'm using OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct 2005 on FC5. 

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: graceful ssh key management, Kevin Hunter
Next by Date:  Re: logging, Kevin Hunter
Previous by Thread:  ssh version issue ....ssh?, Yard, John
Next by Thread:  graceful ssh key management, Kevin Hunter
Indexes:  [Date] [Thread] [Top] [All Lists]