Kumaresh
2004-05-11 09:53:24 UTC
Hello,
We have a setup with OpenSSH server on HP-UX machine with windows SSH
clients and the server system is in trusted mode.
There are configuration settings in the trusted system to check the number
of unsuccessful logins to the system and the account can be configured to
lock if the real unsuccessful attempt is exceeding the allowable limit. Now,
as SSH do not have any explicit code to check all these trusted system
related configuration, we have a necessity that the code has to go through
PAM.
We are using "PowerTerm Interconnect" windows SSH clients and in these
clients there are no options to set "keyboard-interactive" method for
authentication. So,even if we set "UsePAM yes" in the server side, the
client is not sending a "keyboard-interactive" string and sends a "password"
string, so, the "password" method is being started. So, the system is doing
normal password authentication even if "UsePAM yes" is configured. But, we
need the sshd server should pass through PAM so that the trusted system
behaviour will be taken care by PAM modules.
In order to achieve this, we like the sshd server to do the
keyboad-interactive feature for Password authentication also. That is., even
the normal password authentication it has to go through PAM.
First of all,what are the impacts for this change in design? Is this change
valid?
Any help will be much appreciated.
Thanks,
Kumar
We have a setup with OpenSSH server on HP-UX machine with windows SSH
clients and the server system is in trusted mode.
There are configuration settings in the trusted system to check the number
of unsuccessful logins to the system and the account can be configured to
lock if the real unsuccessful attempt is exceeding the allowable limit. Now,
as SSH do not have any explicit code to check all these trusted system
related configuration, we have a necessity that the code has to go through
PAM.
We are using "PowerTerm Interconnect" windows SSH clients and in these
clients there are no options to set "keyboard-interactive" method for
authentication. So,even if we set "UsePAM yes" in the server side, the
client is not sending a "keyboard-interactive" string and sends a "password"
string, so, the "password" method is being started. So, the system is doing
normal password authentication even if "UsePAM yes" is configured. But, we
need the sshd server should pass through PAM so that the trusted system
behaviour will be taken care by PAM modules.
In order to achieve this, we like the sshd server to do the
keyboad-interactive feature for Password authentication also. That is., even
the normal password authentication it has to go through PAM.
First of all,what are the impacts for this change in design? Is this change
valid?
Any help will be much appreciated.
Thanks,
Kumar