Currently OpenSSH runs pam_setcred with 'fake' conversation function sshpam_store_conv. If some PAM module actually tries to converse for pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR. But there are/will be real world PAM modules, that actually need to converse for pam_setcred. This bugs asks for making that possible for keyboard-interactive authentication. Allowing pam_setcred conversation for other user auths (pubkey, password, hostbased, gssapi-with-mic, ...) would be significantly harder, because for other auth there is no support from promts and replies in SSH authentication protocol.
Created attachment 2797 [details] Allow PAM conversation for pam_setcred This patch moves calling pam_setcred to the end of actual PAM authentication, where there still is a real conversation function available. If pam_setcred was already called, doesn't call it the second time in do_pam_setcred.
I should have noted the following to the proposed patch above: Although the patch applies, builds and runs standalone, it has an implicit dependency on fix for #2548. Without that fix, it only makes the issue described in #2548 worse: on top of pam_authenticate, pam_acct_mgmt and pam_chautok it would add pam_setcred too into the separate address space of the auxiliary PAM process. That would cause some substantive implications, such as invalid audit context and damaged audit records.