Bug 892

Summary:

Send output from PAM account modules to user

Product:

Portable OpenSSH

Reporter:

Darren Tucker <dtucker>

Component:

PAM support

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

Robert.Dahlem

Priority:

Version:

-current

Hardware:

Other

OS:

All

Attachments:

Description	Flags
Collect PAM auth messages and send with SSH2_BANNER	djm: ok+

Description Darren Tucker 2004-07-05 16:56:55 AEST

At the moment, output from the PAM account modules is discarded in some cases.

This is because if the user hasn't gone through one of the PAM auth methods (eg
if they used publickey) then the sshpam_null_conv conversation function is still
used.

Comment 1 Darren Tucker 2004-07-05 17:25:44 AEST

Created attachment 681 [details]
Collect PAM auth messages and send with SSH2_BANNER

This patch collects the messages from pam_acct_mgmt (using the existing
store_conv), copies it from the monitor and sends it to the user using a
SSH2_MSG_USERAUTH_BANNER message.  auth-pam.c used to do something like this in
the pre-privsep days.

This does not leak information to unauthenticated users since a user must
successfully authenticate via some method before that can occur.

(The diff is smaller than it looks, most of the bulk is the relocation of
sshpam_store_conv so that it can be used earlier, it was not changed.)

Comment 2 Damien Miller 2004-09-11 18:50:16 AEST

Comment on attachment 681 [details]
Collect PAM auth messages and send with SSH2_BANNER

looks ok, but i think the userauth_send_banner() should go to OpenBSD too

Comment 3 Darren Tucker 2004-09-11 23:07:26 AEST

Applied, thanks.

Comment 4 Darren Tucker 2006-10-07 11:36:29 AEST

Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.