Subject: Re: ssh prompts passwd twice
To: None <current-users@netbsd.org>
From: Christos Zoulas <christos@tac.gw.com>
List: current-users
Date: 03/10/2005 16:57:49 
In article <20050310212052.GA1766@antioche.eu.org>,
Manuel Bouyer  <bouyer@antioche.eu.org> wrote:
>On Thu, Mar 10, 2005 at 05:23:31PM +0100, Jukka Salmi wrote:
>> Manuel Bouyer --> current-users (2005-03-10 15:56:23 +0100):
>> > It's the one installed on the systemp by default. I didn't change anything
>> > in /etc/pam.d/.
>> > 
>> > # $NetBSD: sshd,v 1.4 2005/02/27 03:40:14 thorpej Exp $
>> > #
>> > # PAM configuration for the "sshd" service
>> > #
>> > 
>> > # auth
>> > auth            required        pam_nologin.so          no_warn
>> > auth            sufficient      pam_krb5.so             no_warn
>try_first_pass
>> > auth            sufficient      pam_ssh.so              no_warn
>try_first_pass
>> > auth            required        pam_unix.so             no_warn
>try_first_pass
>> 
>> So the first prompt is from pam_ssh, asking for the passphrase of your
>> ~/.ssh/id_[dr]sa key. The second prompt is from pam_unix, asking for your
>> local system password. Removing the lines referencing pam_ssh should fix
>> the problem. As does using the same secret in both places ;-)
>
>But I don't have authorized_keys on this box, and this happens from
>accounts with, or without ssh keys in ~/.ssh/.
>pam_ssh should detect such situations and not ask for a passphrase in such
>cases.

Try this (untested):

christos

Index: pam_ssh.c
===================================================================
RCS file: /cvsroot/src/lib/libpam/modules/pam_ssh/pam_ssh.c,v
retrieving revision 1.4
diff -u -u -r1.4 pam_ssh.c
--- pam_ssh.c	27 Feb 2005 01:16:27 -0000	1.4
+++ pam_ssh.c	10 Mar 2005 21:45:50 -0000
@@ -162,6 +162,18 @@
 	if (pam_err != PAM_SUCCESS)
 		return (pam_err);
 
+	for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
+		char path[MAXPATHLEN];
+		(void)snprintf(path, sizeof(path), "%s/%s", pwd->pw_dir, *kfn);
+		if (access(path, R_OK) == 0)
+			break;
+	}
+
+	if (*kfn == NULL) {
+		openpam_restore_cred(pamh);
+		return (PAM_AUTH_ERR);
+	}
+
 	pass = (pam_get_item(pamh, PAM_AUTHTOK,
 	    (const void **)__UNCONST(&passphrase)) == PAM_SUCCESS);
  load_keys: