how to avoid echo prompt with SSH-PAM conv routine?

Francesco Grossi ITQL f.grossi at itql.it
Thu Dec 18 13:36:59 EST 2008 

Hello Everybody

 

I need help

 

We are trying to make a new SASL mechanism to enable ldap authentication via
third-party password-validation tool.

User Authentication is routed to the tool which might ask the client for a
new password to be keyed in.

 

We succeeded handling all the conversation though in a unseemly fashion for
the new password is echoed (which, of course, is not welcome by the
customer).

 

Our 3 main keys have been:

1)       enabling SSH interaction with ChallengeResponseAuthentication=yes
in sshd_config

2)       enabling PAM_LDAP via etc/pam.d/system-auth

3)       enabling the pam_conv routine by the following mechanism code:

 

      echo_result = _plug_challenge_prompt(params->utils,
SASL_CB_ECHOPROMPT,

                                   NULL,

                                   promptText,

                                   (const char**)&text->echoresponse,
prompt_need);

      if ((echo_result != SASL_OK) && (echo_result != SASL_INTERACT))

            return echo_result;

      /* free prompts we got */

      if (prompt_need && *prompt_need) {

            params->utils->free(*prompt_need);

            *prompt_need = NULL;

      }

            /* if there are prompts not filled in */

      if (echo_result == SASL_INTERACT) 

      {

            /* make the prompt list */

            result =

                  _plug_make_prompts(params->utils, prompt_need,

                              NULL, NULL,

                             NULL, NULL,

                             NULL, NULL,

                             NULL, promptText,

                             NULL, NULL, NULL, NULL);

            if (result != SASL_OK) return result;

            return SASL_INTERACT;

      }

      /* the application provided us with a new password so use it */

      if (text->echoresponse) {

            *clientout = text->echoresponse;

            *clientoutlen = strlen(text->echoresponse);

      }

 

Now what we expected was just to turn SASL_CB_ECHOPROMPT to
SASL_CB_NOECHOPROMPT to reach our goal

The result is the pam_conv routine returns empty response to sasl and the
mech_client_step function keeps being called (looping) by the glue code. In
human terms  the client keeps giving his new password and still in clear
(echoprompted) .

Do you have any idea on what I'm missing?

Is it available any reference about chalprompt_cb function and its
parameters  used by _plug_challenge_prompt?

We also tried with _plug_get_password without any outcome

 

Any help would be appreciated

Many many thanks

 

Francesco Grossi

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20081218/828a4ce3/attachment.html

More information about the Cyrus-sasl mailing list