Bug 890

Summary: Allow users to see output from failing PAM session modules.
Product: Portable OpenSSH Reporter: Darren Tucker <dtucker>
Component: PAM supportAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: normal    
Priority: P2    
Version: -current   
Hardware: Other   
OS: All   
Attachments:
Description Flags
If do_pam_session fails, end output to user then close session.
none
Make work for privsep=no too djm: ok+

Description Darren Tucker 2004-07-03 18:54:21 AEST 
Because a failure in do_pam_session causes an immediate fatal(), the connection
exits uncleanly, eg, with the following PAM config:
session required pam_motd.so motd=/etc/mynologin
session required pam_deny.so

Attempting to log in will result in:
testuser@localhost's password:
Read from remote host localhost: Connection reset by peer
Connection to localhost closed.
Comment 1 Darren Tucker 2004-07-03 18:57:31 AEST 
Created attachment 678 [details]
If do_pam_session fails, end output to user then close session.

Patch to fix.  If a PAM session module fails, this is what happens:
$ ssh testuser@localhost
testuser@localhost's password:
No user logins right now.

Connection to localhost closed.
Comment 2 Darren Tucker 2004-07-04 11:21:34 AEST 
Created attachment 679 [details]
Make work for privsep=no too
Comment 3 Damien Miller 2004-09-11 18:43:02 AEST 
Comment on attachment 679 [details]
Make work for privsep=no too

ok
Comment 4 Darren Tucker 2004-09-11 22:17:56 AEST 
Thanks, applied.
Comment 5 Darren Tucker 2006-10-07 11:36:27 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.