At the moment, output from the PAM account modules is discarded in some cases. This is because if the user hasn't gone through one of the PAM auth methods (eg if they used publickey) then the sshpam_null_conv conversation function is still used.
Created attachment 681 [details] Collect PAM auth messages and send with SSH2_BANNER This patch collects the messages from pam_acct_mgmt (using the existing store_conv), copies it from the monitor and sends it to the user using a SSH2_MSG_USERAUTH_BANNER message. auth-pam.c used to do something like this in the pre-privsep days. This does not leak information to unauthenticated users since a user must successfully authenticate via some method before that can occur. (The diff is smaller than it looks, most of the bulk is the relocation of sshpam_store_conv so that it can be used earlier, it was not changed.)
Comment on attachment 681 [details] Collect PAM auth messages and send with SSH2_BANNER looks ok, but i think the userauth_send_banner() should go to OpenBSD too
Applied, thanks.
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.