OpenOTP PAM 1.0.6 SSH change

97 views
Skip to first unread message

Jibé

unread,
Mar 1, 2013, 9:49:34 AM3/1/13
to rcdevs-t...@googlegroups.com
Hi,
Since I have upgraded libopenotp to 1.0.7-1 and pam_openotp to 1.0.6 I have find the following difference with my older version:
when a user login the ssh sequence is the following :

login as: user_a
Access denied
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Entrer votre TOKEN one-time password:


With previous version pam module ask for LDAP Password and not just Password:

login as: user_a
Access denied
Using keyboard-interactive authentication.
LDAP Password:
Using keyboard-interactive authentication.
Entrer votre TOKEN one-time password:

Is it a bug ? Can I change back the label to "LDAP password" ?

thanks.

Administrators

unread,
Mar 1, 2013, 10:16:00 AM3/1/13
to RCDevs Security Solutions - Technical
You use OpenOTP 1.1 and if you do not set the password_mode parameter
(or set password_mode=0) in the PAM SSH config, the plugin will use
the new OpenOTP SimpleLogin API.
In this mode, OpenOTP assumes LDAP or OTP or LDAPOTP login mode -
automatically depending on the user configuration.
So the PAM plugin asks for "Password:" as it can be a LDAP or OTP
password.

If you need the old behavior (LDAPOTP with LDAP first and OTP in a
challenge), then you can set password_mode=1 in the PAM SSH config.

The PAM source code is :

/* ask for password */
if (pam_password == NULL) {
/* ask for a password */
/* pam_info(pamh, WELCOME_MSG); */
if (password_mode == 0) retval = pam_converse(pamh, "Password:
", &pam_password);
else if (password_mode == 1) retval = pam_converse(pamh, "LDAP
Password: ", &pam_password);
else if (password_mode == 2) retval = pam_converse(pamh, "OTP
Password: ", &pam_password);
else if (password_mode == 3) retval = pam_converse(pamh, "LDAP
+OTP Passwords: ", &pam_password);
else if (password_mode == 4) retval = pam_converse(pamh, "OTP
+LDAP Passwords: ", &pam_password);
else retval = pam_converse(pamh, "OTP+LDAP Passwords: ",
&pam_password);
if (retval != PAM_SUCCESS || pam_password == NULL) {
DLOG(LOG_ERR, "%sCould not get user password for user %s",
LOG_PREFIX, pam_user);
pam_set_result(pamh, retval);
return retval;
}
}

On Mar 1, 3:49 pm, Jibé <jb.charpent...@gmail.com> wrote:
> Hi,
> Since I have upgraded libopenotp to 1.0.7-1 and pam_openotp to 1.0.6 I have
> find the following difference with my older version:
> when a user login the ssh sequence is the following :
>
> login as: user_a
> Access denied
> Using keyboard-interactive authentication.
> *Password*:
> Using keyboard-interactive authentication.
> Entrer votre TOKEN one-time password:
>
> With previous version pam module ask for LDAP Password and not just
> Password:
>
> login as: user_a
> Access denied
> Using keyboard-interactive authentication.
> *LDAP Password*:

Jibé

unread,
Mar 1, 2013, 11:01:32 AM3/1/13
to rcdevs-t...@googlegroups.com
Thanks. It's OK now.
Reply all
Reply to author
Forward
0 new messages