- (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv,

and use it for do_pam_session. Fixes problems like pam_motd not displaying anything. ok djm@
2003-11-18 12:42:07 +11:00 · 2003-11-18 12:42:07 +11:00 · 18df00cc77
parent 6aef38f5ac
commit 18df00cc77
2 changed files with 30 additions and 33 deletions
--- a/7
+++ b/7
@ -1,6 +1,9 @@
-20031117
+20031118
 - (djm) Fix early exit for root auth success when UsePAM=yes and 
   PermitRootLogin=no
+ - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv,
+   and use it for do_pam_session.  Fixes problems like pam_motd not displaying
+   anything.  ok djm@

 20031117
 - (djm) OpenBSD CVS Sync
@ -1476,4 +1479,4 @@
 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
   Report from murple@murple.net, diagnosis from dtucker@zip.com.au

-$Id: ChangeLog,v 1.3113 2003/11/17 23:45:20 djm Exp $
+$Id: ChangeLog,v 1.3114 2003/11/18 01:42:07 dtucker Exp $
--- a/auth-pam.c
+++ b/auth-pam.c
@ -31,7 +31,7 @@

 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.80 2003/11/17 10:41:42 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.81 2003/11/18 01:42:08 dtucker Exp $");

 #ifdef USE_PAM
 #include <security/pam_appl.h>
@ -52,6 +52,7 @@ RCSID("$Id: auth-pam.c,v 1.80 2003/11/17 10:41:42 djm Exp $");
 #include "auth-options.h"

 extern ServerOptions options;
+extern Buffer loginmsg;

 #define __unused

@ -497,13 +498,9 @@ sshpam_query(void *ctx, char **name, char **info,
 		case PAM_AUTH_ERR:
 			if (**prompts != NULL) {
 				/* drain any accumulated messages */
-#if 0 /* XXX - not compatible with privsep */
-				packet_start(SSH2_MSG_USERAUTH_BANNER);
-				packet_put_cstring(**prompts);
-				packet_put_cstring("");
-				packet_send();
-				packet_write_wait();
-#endif
+				debug("PAM: %s", **prompts);
+				buffer_append(&loginmsg, **prompts,
+				    strlen(**prompts));
 				xfree(**prompts);
 				**prompts = NULL;
 			}
@ -630,21 +627,6 @@ do_pam_account(void)
 	return (1);
 }

-void
-do_pam_session(void)
-{
-	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 
-	    (const void *)&null_conv);
-	if (sshpam_err != PAM_SUCCESS)
-		fatal("PAM: failed to set PAM_CONV: %s",
-		    pam_strerror(sshpam_handle, sshpam_err));
-	sshpam_err = pam_open_session(sshpam_handle, 0);
-	if (sshpam_err != PAM_SUCCESS)
-		fatal("PAM: pam_open_session(): %s",
-		    pam_strerror(sshpam_handle, sshpam_err));
-	sshpam_session_open = 1;
-}
-
 void
 do_pam_set_tty(const char *tty)
 {
@ -691,7 +673,7 @@ is_pam_password_change_required(void)
 }

 static int
-pam_chauthtok_conv(int n, const struct pam_message **msg,
+pam_tty_conv(int n, const struct pam_message **msg,
    struct pam_response **resp, void *data)
 {
 	char input[PAM_MAX_MSG_SIZE];
@ -700,7 +682,7 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,

 	*resp = NULL;

-	if (n <= 0 || n > PAM_MAX_NUM_MSG)
+	if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO))
 		return (PAM_CONV_ERR);

 	if ((reply = malloc(n * sizeof(*reply))) == NULL)
@ -742,6 +724,8 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
 	return (PAM_CONV_ERR);
 }

+static struct pam_conv tty_conv = { pam_tty_conv, NULL };
+
 /*
 * XXX this should be done in the authentication phase, but ssh1 doesn't
 * support that
@ -749,15 +733,10 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
 void
 do_pam_chauthtok(void)
 {
-	struct pam_conv pam_conv;
-
-	pam_conv.conv = pam_chauthtok_conv;
-	pam_conv.appdata_ptr = NULL;
-
 	if (use_privsep)
 		fatal("Password expired (unable to change with privsep)");
 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-	    (const void *)&pam_conv);
+	    (const void *)&tty_conv);
 	if (sshpam_err != PAM_SUCCESS)
 		fatal("PAM: failed to set PAM_CONV: %s",
 		    pam_strerror(sshpam_handle, sshpam_err));
@ -768,6 +747,21 @@ do_pam_chauthtok(void)
 		    pam_strerror(sshpam_handle, sshpam_err));
 }

+void
+do_pam_session(void)
+{
+	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 
+	    (const void *)&tty_conv);
+	if (sshpam_err != PAM_SUCCESS)
+		fatal("PAM: failed to set PAM_CONV: %s",
+		    pam_strerror(sshpam_handle, sshpam_err));
+	sshpam_err = pam_open_session(sshpam_handle, 0);
+	if (sshpam_err != PAM_SUCCESS)
+		fatal("PAM: pam_open_session(): %s",
+		    pam_strerror(sshpam_handle, sshpam_err));
+	sshpam_session_open = 1;
+}
+
 /* 
 * Set a PAM environment string. We need to do this so that the session
 * modules can handle things like Kerberos/GSI credentials that appear