[X2Go-Dev] Bug#966: Banner issue update
Cherry, Andrew J.
acherry at alcf.anl.gov
Tue Aug 29 22:17:55 CEST 2017
One more note about reproducing this -- I've found that pam_echo.so only prints the banner *before* the password prompt if sshd is configured with "ChallengeResponseAuthentication yes" (which we happen to have due to our CryptoCard token usage).
> On Aug 29, 2017, at 12:52 PM, Cherry, Andrew J. <acherry at alcf.anl.gov> wrote:
> I've done some additional testing, prompted by your mention of the banner being configured using the Banner option in sshd_config. It turns out we are *not* using the sshd config option -- instead, we are displaying the banner using the pam_echo module, configured with the following line in /etc/pam.d/sshd:
> auth optional pam_echo.so file=/etc/issue.net
> What I've found so far is that the same /etc/issue.net plays nice with x2go when configured via the Banner option, but causes an auth failure when configured using pam_echo.so.
> I'm going to do some more digging to see if I can figure out what the difference is. Oddly, if I cut/paste the output from the OpenSSH client (on Linux) up to and including the Password: prompt, and do a diff between the two, they are byte-for-byte identical.
> By the way, the reason we use pam_echo.so instead of the Banner option is because we actually have two banners -- /etc/issue/net for the standard security boilerplate which is always displayed, and /etc/issue.alcf which is normally empty but is populated with information during our scheduled maintenance windows when logins are disabled. However, I've confirmed that the problem still occurs even if I configure pam_echo.so to only display /etc/issue.net
More information about the x2go-dev