auth-pam.c support for pam_chauthtok()

Andrew Morgan morgan at transmeta.com
Tue Dec 19 06:07:21 EST 2000


[Much time passes, and I'm working my way through 1600 ssh messages..]

I believe this patch contains a bug. Its really a Sun documentation bug
that no one noticed until 4 years after Linux had a working PAM
implementation (read, its not going to change in the Linux
implementation of PAM now) and two years after Sun released their first
PAM support.

Basically, the patch as submitted, included this diff (auth-pam.c):

-       for(count = 0; count < num_msg; count++) {
-               switch (msg[count]->msg_style) {
+       for (count = 0; count < num_msg; count++) {
+               switch ((*msg)[count].msg_style) {

Note, the 'msg' got replaced with '(*msg)'. For single prompts (count=0)
thanks to 'C' these two are identical. Unfortunately, the former (-) is
correct for Linux-PAM, and the latter (+) is correct for Solaris. For
(count!=0) these two differ.

[FWIW, some PAM module vendors actually supply msg pointers that doubly
link to the actual messages. But, in the main, Linux differs from
Solaris on this point.]

If it isn't clear:

* Linux provides a pointer to an array of message pointers.

* Solaris provides a pointer to a pointer to an array of message
structures (yes this is somewhat bizzarre with one unnecessary level of
indirection).

Please conditionalize the above change with something like this:

=========
/* Note, the original PAM spec was unclear on the nature of the 'msg'
pointer
   passed to the conversation function. Solaris (and thus HPUX - who's
PAM is based
   on the Sun codebase), assumed a second level of indirection, Linux
   (and basically every other OS since they use the Linux-PAM source
code)
   interpreted this as a pointer to an array of pointers. Here we
support both
   with a little bit of macro redirection. */

#ifdef closed-source-base-from-sun (solaris, hpux)
# define PMSG (*msg)
#else /* 99.9% likely to be a port of Linux-PAM */
# define PMSG msg
#endif
=========

And then pepper the code with PMSG instead of what's there now:
s/(*msg)/PMSG/g .

Thanks

Andrew

Damien Miller wrote:
> 
> On Wed, 13 Sep 2000, Steve VanDevender wrote:
> 
> > When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users
> > noticed that it did not honor password expiration consistently with
> > other Solaris login services.
> >
> > The patch below is against OpenSSH 2.2.0p1 and adds support for PAM
> > password changes on expiration via pam_chauthtok().  A brief summary of
> > changes:
> 
> Thanks - applied.
> 
> -d





More information about the openssh-unix-dev mailing list