In some SSH versions ( openSSH pre-3.9, and SSH2 ( Sun's SSH 1.0/1 ) known ), password authentication ( as apposed to keyboard-interactive ) was not fully PAM compliant. It had no conversation ability, thus failing to work with VAS, which requires full PAM compliance. You may receive the error "PAM conversation error"
Use another method to obtain the password, by-passing the need for pam_vas to use conversations.
In /etc/pam.conf, for the sshd service ( sshd-password for Sun's SSH 1.0/1 ), move the pam_authtok_get library above the pam_vas section, and change get_nonvas_pass to use_first_pass.
Example change from:
other auth sufficient /opt/quest/lib/security/$ISA/pam_vas3.so create_homedir get_nonvas_pass
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1 use_first_pass
Change to:
other auth requisite pam_authtok_get.so.1
other auth sufficient /opt/quest/lib/security/$ISA/pam_vas3.so create_homedir use_first_pass
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1 use_first_pass
The above example is from Solaris, but should work for any OS that has a module dedicated to obtaining the authentication token
It is recommended that the sshd service is made its own entry in pam.conf, and the changes made just to that section. This configuration cannot process custom pam prompts due to the lack of conversations ( how custom prompts are passed ), so should be limited to that service to not affect other services.
Password in SSH doesn't attempt to use conversations. Some applications don't show custom prompts, but still go through the conversation interactions, hence why they still work with pam_vas but don't show custom prompts.
WARNING: on some OSes it is possible that password changing will not work with this setup, or would require additional configuration.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center