gcc -o sshd sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o -L. -Lopenbsd-compat/ -L/local/pkg/openssl/lib -lssh -lopenbsd-compat -lwrap -lpam -ldl -lutil -lz -lnsl -lcrypto monitor.o: In function `mm_answer_authpassword': /local/pkg/openssh/src/openssh/monitor.c:545: undefined reference to `auth_password' But auth_password is defined in auth-passwd.c, and the whole file is surrounded by #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
If I understand the PAM code (none of the PRIVSEP code has been made to work with it right now) one should never called auth_password() they should be calling auth_pam_password().. So in mm_answer_authpassword() function it should look something like this (untested, and unsure if any other PAM tweaks are needed), but I won't commit anything until someone says ya or na for it being correct. passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ +#ifdef USE_PAM + /* Do PAM auth with password */ + authenticated = authctxt->valid && auth_pam_password + (authctxt>pw,passwd); +#else authenticated = authctxt->valid && auth_password(authctxt, passwd); +#endif memset(passwd, 0, strlen(passwd)); xfree(passwd);
<grumble> Now I know why I don't cut and past into the comments normally. the correct line is: authenticated = authctxt->valid && auth_pam_password(authctxt->pw,passwd);
i will look at this. privsep needs PAM integration, but first let's get --with-pam working with no privsep in use.
- (stevesk) [monitor.c] PAM should work again; will *not* work with UsePrivilegeSeparation=yes.
Mass change of RESOLVED bugs to CLOSED