Bug 1228

Summary:

kbd-int device for AIX authenticate

Product:

Portable OpenSSH

Reporter:

David Leonard <David.Leonard>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

NEW ---

Severity:

enhancement

Priority:

Version:

4.3p2

Hardware:

Other

OS:

AIX

Attachments:

Description	Flags
patch for AIX authenticate kbdint device	none
Patch for AIX LAM authentication kbdint device	none

Description David Leonard 2006-09-14 12:46:07 AEST

keyboard-interactive is currently only supported for PAM.

AIX's authenticate() function is only used by the 'none' and 'password' methods and is pretty horrid (see bug 908).

This is an enhancement bug to provide a kbd-int device for AIX authentication.

Comment 1 David Leonard 2006-09-14 12:49:19 AEST

Created attachment 1183 [details]
patch for AIX authenticate kbdint device


Here's what i've written for use in Quest's openssh. It seems to work pretty well.

Comment 2 Darren Tucker 2006-10-03 19:14:14 AEST

FWIW I wrote a similar patch a while back (didn't do privsep so was never published, though) but the problem I had was finding LAM modules that could actually exercise the multiple-step capability.  What did you use to test this?

Comment 3 David Leonard 2006-10-04 07:33:35 AEST

I used our product's aix module (vas_aix). The module performs password expiry/change handling during the authenticate() loop, so 'password' method doesn't work for some customers.

Comment 4 Ted Percival 2009-07-02 05:46:50 AEST

Created attachment 1658 [details]
Patch for AIX LAM authentication kbdint device

Updated patch against OpenSSH Portable CVS HEAD.

Changes since attachment #1183 [details]:
- Add a check for PermitRootLogin setting (especially "without-password") and fail authentication if (uid == 0 && PermitRootLogin != yes).
  https://bugsrc.quest.com/show_bug.cgi?id=712
- Fix a double-free of the username by strdup-ing it first.
  https://bugsrc.quest.com/show_bug.cgi?id=679