https://bugzilla.mindrot.org/show_bug.cgi?id=3736
Bug ID: 3736
Summary: sshd falls back to password prompt after PAM module
returns a PAM_MAXTRIES.
Product: Portable OpenSSH
Version: 9.8p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support
Assignee: unassigned-b...@mindrot.org
Reporter: thibault.del...@lxp.lu
It is more a question about if it is an intended behavior or not.
Overview:
I am working on a PAM module where I either allow a user to provide us
with an OTP code or if his account doesn't have one, I print the link
to set it up and stop the authentication. When a user doesn't have OTP
enabled, ssh prints 3 times the link because the user has 3 tries on
the sshd side of things. To prevent that I tried to use the
PAM_MAXTRIES return code in my PAM module. Instead of honoring the max
tries and stopping the connection attempt, sshd falls back to a
password prompt.
Steps to Reproduce:
For the purpose of the ticket I went and downloaded the latest 9.8p1
openssh portable and compiled it with:
configure --prefix=/opt --sysconfdir=/etc/ssh-portable --with-pam
This minimum setup to reproduce are these config files for sshd_config
and pam.d/sshd:
# /opt/sbin/sshd -V
OpenSSH_9.8p1, OpenSSL 3.0.7 1 Nov 2022
# grep -v '#' /etc/ssh-portable/sshd_config | grep -v -e '^$'
KbdInteractiveAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive:pam
UsePAM yes
SyslogFacility AUTHPRIV
LogLevel DEBUG
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# grep -v '#' /etc/pam.d/sshd | grep -v -e '^$'
auth required pam_module.so
Running on rocky94.
The pam module, compiled with gcc -shared -o pam_module.so min.c -lpam,
and put in /usr/lib64/security/pam_module.so:
cat min.c
#include <security/pam_misc.h>
#include <security/pam_ext.h>
#include <security/pam_modules.h>
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int
argc, const char **argv)
{
return PAM_MAXTRIES;
}
PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
return PAM_SUCCESS;
}
Expected behavior:
ssh connection attempt should instantly terminates instead of asking
for a password prompt.
Current behavior:
ssh tdelmas@test-vm
tdelmas@test-vm's password:
Permission denied, please try again.
tdelmas@test-vm's password:
Permission denied, please try again.
tdelmas@test-vm's password:
tdelmas@test-vm: Permission denied ().
Is there a way for me to achieve my intended behavior? Am I wrong to
assume sshd would "honor" the PAM_MAXTRIES with my current
configuration?
Thanks in advance for your feedback, hopefully posting at the right
spot.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
