From ionic@ionic.de Fri Sep 1 08:13:45 2017 Received: (at 966) by bugs.x2go.org; 1 Sep 2017 06:13:51 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 Received: from localhost (localhost [127.0.0.1]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id DE9295DACF for <966@bugs.x2go.org>; Fri, 1 Sep 2017 08:13:44 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de Received: from ymir.das-netzwerkteam.de ([127.0.0.1]) by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iiBlWJ87K69V for <966@bugs.x2go.org>; Fri, 1 Sep 2017 08:13:40 +0200 (CEST) Received: from Root24.de (powered.by.root24.eu [5.135.3.88]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id EDC365DA8C for <966@bugs.x2go.org>; Fri, 1 Sep 2017 08:13:39 +0200 (CEST) Received: from [10.20.16.17] (178.162.222.163.adsl.inet-telecom.org [178.162.222.163]) by mail.ionic.de (Postfix) with ESMTPSA id 6AC784F003CA; Fri, 1 Sep 2017 08:13:39 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ionic.de; s=default; t=1504246419; bh=TqAUXYEtd9RbirBPUsDpTENATDsI1DkED7vqGjo5v7k=; h=Subject:To:References:From:Date:In-Reply-To:From; b=ZqeSOMsrFpX5SSzdTsgCPDIy5ch1gYVLECUyOQsvKaada6ywWcZMd6+9RWnO6jnDE QuIAAtAP8WnKZ+WTdh0eK8Drj+arhYE//+VehzeDK+2xEi3uivp9zB5hslN0zduwPU 3yOPwIWYEV+Pb+rvGiPiR/nrZSCvLHRzWf0KvWgU= Subject: Re: [X2Go-Dev] Banner issue update To: "Cherry, Andrew J." , 966@bugs.x2go.org References: <387FE67D-CA29-41C0-90FE-2CE278CF232B@anl.gov> <81B6606D-C01B-4835-84F4-3736504FA62D@anl.gov> From: Mihai Moldovan Message-ID: <4c4f7729-0dfc-dbd3-753d-3dc45264c446@ionic.de> Date: Fri, 1 Sep 2017 08:13:38 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: <81B6606D-C01B-4835-84F4-3736504FA62D@anl.gov> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="iBVntp4PFfqF2uMXq2VIeSwHfKVPslW4M" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --iBVntp4PFfqF2uMXq2VIeSwHfKVPslW4M Content-Type: multipart/mixed; boundary="s04CDOtHNVFMvJjLwc163nSsAOHnsktE0"; protected-headers="v1" From: Mihai Moldovan To: "Cherry, Andrew J." , 966@bugs.x2go.org Message-ID: <4c4f7729-0dfc-dbd3-753d-3dc45264c446@ionic.de> Subject: Re: [X2Go-Dev] Banner issue update References: <387FE67D-CA29-41C0-90FE-2CE278CF232B@anl.gov> <81B6606D-C01B-4835-84F4-3736504FA62D@anl.gov> In-Reply-To: <81B6606D-C01B-4835-84F4-3736504FA62D@anl.gov> --s04CDOtHNVFMvJjLwc163nSsAOHnsktE0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 08/30/2017 04:10 AM, Cherry, Andrew J. wrote: > I did some more experimentation, and it looks like the following specif= ic > conditions are needed to reproduce the problem we're having: >=20 > 1. Banner configured in /etc/pam.d/sshd using pam_echo.so, e.g.: >=20 > auth optional pam_echo.so file=3D/etc/issue.net >=20 > 2. The following config changes in sshd_config: >=20 > ChallengeResponseAuthentication yes PasswordAuthentication no This sort of makes sense. If challenge response auth is turned on and normal password authenticatio= n is turned off, X2Go Client expects a certain challenge response string to co= me up. If none of the built-in strings match, authentication is marked as failed= , since it cannot proceed with password authentication (i.e., the keyboard-intera= ctive method.) The patch you initially provided merely ignores whatever data comes first= and then matches on the password prompt. Am I correct that in any case challenge auth is being used? The problem certainly is that pam_echo.so outputs data before the prompt.= I'm reluctant to apply your patch, since I'm not sure that this is actual= ly good practice. Allowing arbitrary data before the password prompt doesn't make= a lot of sense to me, although I could probably do that. We have a set of hardcoded prompts that are recognized as challenge auth prompts, namely these listed here: https://code.x2go.org/gitweb?p=3Dx2goclient.git;a=3Dblob;f=3Dsrc/sshmaste= rconnection.cpp;h=3D0556299002e6402e332efe478d8ec7f83ab0ac57;hb=3DHEAD#l5= 9 The requirement is that challenge auth prompts either contain *challenge*= or that they *start* with the known prompts. Maybe it would make sense to check each consecutive *line* explicitly? Would that make sense to you? I guess that would fix your problem. Mihai --s04CDOtHNVFMvJjLwc163nSsAOHnsktE0-- --iBVntp4PFfqF2uMXq2VIeSwHfKVPslW4M Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCgAdFiEEbhHQj3UzgcdE8cg8H9Yu2W4lOocFAlmo+pIACgkQH9Yu2W4l Oof1cQ//Xj8hVaB4mLe4Ulw5P6esqhtKZGJlVD+UDLiCd57RqLoXtxWK9Y6XPt6h kzwmGSYKBHfvT5LU7xp+Znz+MI+iDGsi5ZqtBBfBWjogDaW5rQBKDa4HUn7MQM1P N/MBaGnlRFWS0KV7UKf+4WoxnTwEUCAEnJvIrJA9OrJLhbcUhX5jnPwJdCsrw8aQ Fd852Vw2TK2KeoCMrIYVhmoJLmM3hp2YHN2+vdEeWfLBys5cfhfmVX3CU6b6Q+4D JMiuJSWHlLdDWabiDNvCm+ZyJABMUv2DDt8DbvbR1DJzZ0554X3VKut1njAsOVcc L1wfaivDu+N+mkk8w7GaZguKGIPx2YvzqDW7B7tzHIf48sxdI04izOh4yOVPpXyP agP24PmJPtTiCAgQ3CZZ5rwdEWKWaWCS0SesC33xwgdLIcZI32LL0uhaWVjJ3/1e ZbA/gsSCNlYxEpReYpQuoTU3B4dn7M/s/0NDpQfytSqlAHisgOL6W9iOXQeGi/11 KR60VPXNlS+dZlvO0uJ6wO05ZJnN/iZeH6772F9NXqzadOVEXyT8i94t0aV0v7cd /qWsGrlNw/VswCNn/KXb5ePjKcE3O/QLXQvdDylj/Q5k/t2o6GIQ/iDBsML+2m4r X/JCmi5BKdEMyxAyy+Bh0LAB808nMKGWbx7to75QAExCmg5FYk4= =iV8n -----END PGP SIGNATURE----- --iBVntp4PFfqF2uMXq2VIeSwHfKVPslW4M--