Bug 3154 - Issue with showing info and error messages from a blocking PAM module
Summary: Issue with showing info and error messages from a blocking PAM module
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: PAM support (show other bugs)
Version: 8.2p1
Hardware: amd64 Linux
: P5 minor
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-25 20:55 AEST by Milos Pejovic
Modified: 2020-04-25 20:55 AEST (History)
0 users

See Also:

Attachments
PAM module that demonstrates the problem (1.42 KB, text/x-csrc)
2020-04-25 20:55 AEST, Milos Pejovic 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Milos Pejovic 2020-04-25 20:55:34 AEST 
Created attachment 3388 [details]
PAM module that demonstrates the problem

I've stumbled across an apparent issue with showing messages using PAM_TEXT_INFO style from a PAM module that blocks for (non-keyboard) user input. The same thing happens when using PAM_ERROR_MSG, but PAM_PROMPT_ECHO_OFF/ON work correctly.

Attached is an example module that works properly with sudo, but shows both messages at the same time, at the end of the PAM stack execution, when trying to log into a server running sshd.

Note that nothing is displayed from previous PAM modules either, i.e. if I put pam_echo module in the stack before the blocking one, its output is also displayed at the very end of the stack execution.

This was tested on Arch Linux with openssh 8.2p1-3, and Ubuntu 18.04 with openssh-server 7.6p1-4ubuntu0.3. The "ChallengeResponseAuthentication" option was enabled in /etc/ssh/sshd_config.