3481 – PAM_TEXT_INFO messages are shown twice if they are the last conversation

Bug 3481 - PAM_TEXT_INFO messages are shown twice if they are the last conversation

Summary: PAM_TEXT_INFO messages are shown twice if they are the last conversation

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	PAM support (show other bugs)
Version:	8.4p1
Hardware:	Other Linux

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-10-11 00:44 AEDT by Martin
Modified:	2023-02-16 03:30 AEDT (History)
CC List:	0 users

See Also:

Attachments
Minimal test case (1.48 KB, text/plain) 2023-02-16 03:30 AEDT, Martin	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin 2022-10-11 00:44:49 AEDT

When the last conversation from PAM module is of type PAM_TEXT_INFO, the last message "User admin has authenticated successfully" is displayed twice as can be seen in the output from our module:

$ ssh ascz@client.vm.scz-vm.net
(ascz@client.vm.scz-vm.net) Please sign in to: https://sbs.scz-vm.net/weblogin/weblogin/d8b054d3-8082-4278-8947-82973ffffb77
Verification code: 
User admin has authenticated successfully
User admin has authenticated successfully
Last login: Mon Oct 10 13:27:31 2022 from 172.20.1.1

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

However, when I add a conversation "Press Enter to continue" of type PAM_PROMPT_ECHO_OFF just before the PAM module returns, I get this:

$ ssh ascz@client.vm.scz-vm.net
(ascz@client.vm.scz-vm.net) Please sign in to: https://sbs.scz-vm.net/weblogin/weblogin/fd0cc5e5-a0f4-4eb6-a14b-68196ed7110f
Verification code: 
(ascz@client.vm.scz-vm.net) User admin has authenticated successfully
Press Enter to continue
Last login: Mon Oct 10 13:33:12 2022 from 172.20.1.1

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.


Pamtester does not exhibit this behaviour.

The PAM module code, for reference:
https://github.com/SURFscz/pam-weblogin

Comment 1 Martin 2023-02-16 03:30:58 AEDT

Created attachment 3677 [details]
Minimal test case

Attached is a minimal test case that shows the observed behaviour in all it's glory. It includes the tty_output() in the same we include it in our module.

It was compiled on ubuntu 22.10 using:
$ gcc pam_test.c -shared -o pam_test.so -lpam

copied to /usr/local/lib/security
$ sudo cp pam_test.so /usr/local/lib/security/pam_test.so

activated as a pam module in /etc/pam.d/sshd just above common-account
...
auth required /usr/local/lib/security/pam_test.so
# Standard Un*x authorization.
@include common-account

tested using pamtester:
$ pamtester sshd martin authenticate
Password: 
Info
pamtester: successfully authenticated

tested using sshd:
$ ssh localhost
(martin@localhost) Password: 
Info
Info
Welcome to Ubuntu 22.10 (GNU/Linux 6.1.11 x86_64)

Which clearly shows the double output of the last (and only) PAM_TEXT_INFO message.