how to avoid echo prompt with SSH-PAM conv routine?
Francesco Grossi ITQL
f.grossi at itql.it
Thu Dec 18 13:36:59 EST 2008
Hello Everybody
I need help
We are trying to make a new SASL mechanism to enable ldap authentication via
third-party password-validation tool.
User Authentication is routed to the tool which might ask the client for a
new password to be keyed in.
We succeeded handling all the conversation though in a unseemly fashion for
the new password is echoed (which, of course, is not welcome by the
customer).
Our 3 main keys have been:
1) enabling SSH interaction with ChallengeResponseAuthentication=yes
in sshd_config
2) enabling PAM_LDAP via etc/pam.d/system-auth
3) enabling the pam_conv routine by the following mechanism code:
echo_result = _plug_challenge_prompt(params->utils,
SASL_CB_ECHOPROMPT,
NULL,
promptText,
(const char**)&text->echoresponse,
prompt_need);
if ((echo_result != SASL_OK) && (echo_result != SASL_INTERACT))
return echo_result;
/* free prompts we got */
if (prompt_need && *prompt_need) {
params->utils->free(*prompt_need);
*prompt_need = NULL;
}
/* if there are prompts not filled in */
if (echo_result == SASL_INTERACT)
{
/* make the prompt list */
result =
_plug_make_prompts(params->utils, prompt_need,
NULL, NULL,
NULL, NULL,
NULL, NULL,
NULL, promptText,
NULL, NULL, NULL, NULL);
if (result != SASL_OK) return result;
return SASL_INTERACT;
}
/* the application provided us with a new password so use it */
if (text->echoresponse) {
*clientout = text->echoresponse;
*clientoutlen = strlen(text->echoresponse);
}
Now what we expected was just to turn SASL_CB_ECHOPROMPT to
SASL_CB_NOECHOPROMPT to reach our goal
The result is the pam_conv routine returns empty response to sasl and the
mech_client_step function keeps being called (looping) by the glue code. In
human terms the client keeps giving his new password and still in clear
(echoprompted) .
Do you have any idea on what I'm missing?
Is it available any reference about chalprompt_cb function and its
parameters used by _plug_challenge_prompt?
We also tried with _plug_get_password without any outcome
Any help would be appreciated
Many many thanks
Francesco Grossi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20081218/828a4ce3/attachment.html
More information about the Cyrus-sasl
mailing list