sshd custom password prompt

[Larry_Flynn]

I am a first time poster long time user. I am not sure if this thread belongs in Installing & Upgrading or Web & Network Services. I did a quick search and most sshd questions are in Web & Network Services so here we go

I just upgraded from 9.0 to 9.1 stable. After rebuilding the kernel and installing world I connected to the machine via SSH and got a feature I would like to change.

When connecting sshd displays:

banner
password for user@server.org:

where before the update it displayed:

banner
password:

I have looked in multiple configuration files to see where the new feature which adds the username@hostname to the password prompt so that I can remove that bit.

/etc/ssh/ssd_conf
/etc/ssh/ssh_conf
/etc/login_conf
/etc/getttytab

Any one know where I can edit the password prompt for sshd?

Thanks in advance,
Larry

 

[fonz]

What happens when you login locally (e.g. from the console or simply by typing % login)? My initial suspicion is that the prompt you're trying to get right of may be hardwired into OpenSSH, but I'd prefer that you answer my question before I start rooting around in the source code to find out.

 

[Larry_Flynn]

From the console I get

% login
login:
password:

I backed up my /etc before my installworld. I preformed a diff on my configuration files previously mentioned to see if any thing jumped out at me they are for the most part the same.


I have been reading the man pages for sshd and sshd_config trying to get an idea what might present the password promt after pasing the BANNER to the client. Looks like its either passed on to PAM, Login or Handled by SSHD internealy. I see one flag ChallengeResponseAuthentication which looks like it turns on and off PAM which then uses authentication styles supported in login.conf(5).

I have been searching up and down google for ideas and came across this post:
http://forums.debian.net/viewtopic.php?t=30238

Postby plugwash » 2008-08-28 22:11
It depends on what is asking for the password.

If you use ssh password authentication then the client displays the password prompt and generally uses the form <user>@<whatever name/number you used to connect to the server>'s password . A fact the server has no control on the format of this prompt.
On the other hand if the server uses keyboard interactive authentication and displays a password prompt within the keyboard interactive authentication session (I believe Debian does it this way by default) then the prompt is sent by the server and is generally just "password" (I don't know if this prompt can be changed but if it can changing it is a PAM issue not a sshd issue) . The client may also display a message saying that it is using keyboard interactive authentication (newer versions of putty do this, older versions of putty and all versions I have used of openssh don't)

I have played with sshd_config turning off/on a few flags that looked promising and got the following. The last two flags I got the first prompt then a second prompt then a login failure.

UsePam no

I get connection denied (public key)

ChallengeResponseAuthentication no

Password for use@server: 3 times then
user@server 's Password: 3 times
(public key, keyboard interactive)

PasswordAuthentication no

Password for use@server: 3 times then
user@server 's Password: 3 times
(public key, keyboard interactive)

So it looks like sshd has a default authentication handler prompt which is showing up by the looks of its syntax after the first prompt. I am going to run sshd in debug mode and see if it's calling PAM modules. I will post the output here soon.

 

[Larry_Flynn]

Output of sshd -D -ddd
http://pastebin.com/DhKWW33j

/etc/pam.d/sshd
# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

 

[anigma]

Hey Larry,

Did you ever figure out how to change the password prompt? I've been eager to change it as well.

 

[worldi]

To change sshd's password prompt to "Password:" you have to edit /etc/pam.d/sshd.

Find the following line:

auth            required        pam_unix.so             no_warn try_first_pass

Change it to this (i.e. simply append the authtok_prompt part):

auth            required        pam_unix.so             no_warn try_first_pass authtok_prompt=Password:

If you want space characters or quotes in you prompt escape them with backslashes:

auth            required        pam_unix.so             no_warn try_first_pass authtok_prompt=Your\ password,\ please:

That's it. No restart of sshd required.

 

[anigma]

Ah, sweet. Much obliged!