try_first_pass not working as desired

Brought to you by: rosenauer

#7 try_first_pass not working as desired

Milestone: 2.0

Status: closed-fixed

Owner: Wolfgang Rosenauer

Labels: None

Priority: 5

Updated: 2014-08-26

Created: 2004-05-09

Creator: Anonymous

Private: No

I am trying to get something like the following working
so a user logs in normally using Unix authentication
(as would have happened before pam_ssh was installed on
my system), but then pam_ssh is seemlessly invoked so
that if a user also has an SSH key with the same
password, he will get ssh-agent running for free
without needing to reenter his SSH passphrase. If the
user's SSH passphrase is different, he should be
prompted. This is my understanding of the purpose of
the try_first_pass flag to pam_ssh.

This is my configuration:
auth required /lib/security/pam_unix.so
auth optional /lib/security/pam_ssh.so try_first_pass
auth optional /lib/security/pam_env.so

session required /lib/security/pam_unix.so
session optional /lib/security/pam_ssh.so

With this configuration, if the user has the same Unix
password and SSH passphrase, it all works nicely as far
as I can tell. If the user's passwords are different,
rather than asking for the SSH passphrase, it seems the
user is simply denied pam_ssh.so access. Certainly, no
functional ssh-agent is started.

If I remove the try_first_pass flag, things seem to
work fine except of course the user must enter both the
Unix and SSH passwords, which is partly what I am
trying to avoid.

Is this possibly a problem with pam_ssh? Does the
behavior here depend on whether pam_unix is invoked via
pam_stack or whether pam_unix uses the likeauth flag?

Discussion

Nobody/Anonymous - 2005-01-07

Logged In: NO

how about this?

auth sufficient /lib/security/pam_unix.so
auth sufficient /lib/security/pam_ssh.so try_first_pass
auth optional /lib/security/pam_env.so

session sufficient /lib/security/pam_unix.so
session sufficient /lib/security/pam_ssh.so

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Nobody/Anonymous - 2005-01-08

Logged In: NO

Did you bother reading my request? Your suggested
configuration is a typical use of pam_ssh, but is quite
different from my desired behavior.

The sufficient keyword will short-circuit the stack and
cause all other modules (including pam_ssh) to never be
invoked if pam_unix passes.

The idea here is that pam_unix should be the sole module
responsible for authentication. If the user is successfully
authenticated, the user should have ssh-agent automatically
invoked (in other words, the pam_ssh module should then be
invoked). If the user's SSH private key passphrase is the
same as his Unix account password, the ssh-agent will
automatically use this password which was previously
provided to the pam_unix module. If not, the user will be
asked for his SSH passphrase. (Alternately, substituting
try_first_pass for use_first_pass will mean the user is
never asked for his SSH passphrase but gets ssh-agent for
free if the passphrase matches the password).

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Owen DeLong - 2005-02-02

Logged In: YES
user_id=716316

I'm getting exactly the behavior you described as desirable without
the try_first_pass flag. If the passwords are identical, then, the
user types their password (SSH password) and is authenticated and
the SSH Agent starts up. If they are different, then, the user must
enter both passwords, but, the SSH password comes first.

I suppose if it's important to you to type the regular password first,
and the SSH Key password second if they are different, then, perhaps
you need this flag, but, I don't understand why that would be important.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Owen DeLong - 2005-02-02

Logged In: YES
user_id=716316

I'm getting exactly the behavior you described as desirable without
the try_first_pass flag. If the passwords are identical, then, the
user types their password (SSH password) and is authenticated and
the SSH Agent starts up. If they are different, then, the user must
enter both passwords, but, the SSH password comes first.

I suppose if it's important to you to type the regular password first,
and the SSH Key password second if they are different, then, perhaps
you need this flag, but, I don't understand why that would be important.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Owen DeLong - 2005-02-02

Logged In: YES
user_id=716316

I'm getting exactly the behavior you described as desirable without
the try_first_pass flag. If the passwords are identical, then, the
user types their password (SSH password) and is authenticated and
the SSH Agent starts up. If they are different, then, the user must
enter both passwords, but, the SSH password comes first.

I suppose if it's important to you to type the regular password first,
and the SSH Key password second if they are different, then, perhaps
you need this flag, but, I don't understand why that would be important.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Wolfgang Rosenauer - 2013-12-24

status: open --> closed-fixed

assigned_to: Wolfgang Rosenauer

Group: --> 2.0
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Wolfgang Rosenauer - 2013-12-24

Should be fixed with version 2.0

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.