Bug 1310226

Summary: OpenSSH 7.1p2 with custom PAM module doesn't show the PAM module's prompt
Product: [Fedora] Fedora Reporter: Zoltan Boszormenyi <zboszor>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: jjelen, mattias.ellert, mgrepl, plautrba, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-22 09:16:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Zoltan Boszormenyi 2016-02-19 19:48:59 UTC 
Description of problem:

I recently upgraded from Fedora 22 to Fedora 23.
However, the machine needs a custom authentication and for this, we have a custom made PAM module that offers its own login prompt.

With openssh-6.8p1-8 on Fedora 22, the PAM module's own prompt is visible.
With openssh-7.1p2-3 on Fedora 23, this prompt is replaced with ssh's own prompt, with the generated password of the day still works.

Version-Release number of selected component (if applicable):

$ rpm -q openssh
openssh-7.1p2-3.fc23.x86_64

How reproducible:

Always.

Steps to Reproduce:
1.
2.
3.

Actual results:

The custom prompt is replaced with the stock ssh prompt but login is allowed with the PAM module's generated password.

Expected results:

The PAM module's own prompt should be shown when it gets activated during the authentication process.

Additional info:
Comment 1 Tomas Mraz 2016-02-22 08:05:55 UTC 
Most probably your configuration just changed from keyboard-interactive authentication to regular password authentication which is (and always was) the default on Fedora.

Just verify that you have ChallengeResponseAuthentication set to 'yes' and PasswordAuthentication set to 'no' in the sshd_config.
Comment 2 Zoltan Boszormenyi 2016-02-22 09:15:48 UTC 
Thank you, these settings helped.