[Bug 3778] New: Custom PAM module's pam_info / pam_echo duplicated output when running on SSH

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Jan 20 05:45:50 AEDT 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3778

            Bug ID: 3778
           Summary: Custom PAM module's pam_info /  pam_echo duplicated
                    output when running on SSH
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jcastillo at secureauth.com

I'm currently developing a custom PAM module to add MFA to Linux
authentication, and I'm encountering an issue when message printed via
pam_info function are being printed twice if my module is called on ssh
authentication. 
I tested this on two ways by using my own simple PAM module but also
using pam_echo module and both throws same behavior.
This was tested on Red Hat Enterprise Linux, Ubuntu and Debian, and
also tested the same module on other auth like sudo or su, and the
issue is not present.

----------

In order to reproduce this the simpler method will be to use
pam_echo.so module. 

PAM configuration file ( from Red Hat Enterprise Linux 9) on
/etc/pam.d/sshd

#%PAM-1.0
auth       substack     password-auth
auth       required     pam_echo.so hello_echo
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be
executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
#session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin


Using this configuration will throw the following output:

[myuser at rhel9vc ~]$ ssh localhost
(myuser at localhost) Password:
hello_echo
hello_echo
Last login: Sun Jan 19 10:25:57 2025 from ::1
[myuser at rhel9vc ~]$

------------------------------------

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list