Regarding PAM_TTY_KLUDGE and Solaris 8...

Darren Moffat Darren.Moffat at eng.sun.com
Fri Oct 26 03:51:01 EST 2001


>Does this make sense?

All makes sense to me.

Solaris 9 is already fixed, the way we do devlopment in Sun ensures that
we fix the problem in the yet to be released system before we fix it
as a patch other releases.  For some types of fix not only does it need
to be fixed in the future release first but that the fix must sit in the
future release for a couple of weeks to ensure it is the right thing to do.

We have safety checks in place to prevent fixing bugs in older releases
if it hasn't already been fixed in the future release or marked as not 
applicable because some other change made it irrelevant.


>Darren... is this true - if PAM_TTY is not set and the user needs to
>change his password, will pam_sm_acct_mgmt() in pam_unix.so return an
>error that sshd can detect and process?

Nope, and I don't think it should either. The pam modules do not assume
that a tty is present to do the prompting because your converstation
function might actually be a GUI.

It is up to the calling application and its' conversation function to
deal with getting the information from the user.  If pam_acct_mgmt
returns PAM_NEW_AUTHTOK_REQD and sshd isn't able to prompt the user for
one (because it has no tty) then it has to make its own choice of what
to do, it can continue and ignore it or it can display a warning or it
can disconnect - it is upto sshd to choose what to do (it could use
SSH_ASKPASS if it is available).


>back and forth enough to confuse everybody?).  Maybe there could be a
>PAM_OPEN_SESSION_BROKEN flag in config.h, which is defined by default, and
>we could document which patch needs to be applied on Solaris in order to
>avoid the problem and allow pam_open_session() to be called (with NO
>PAM_TTY set).

Please do not use that as the option name, instead say something that
says what you are acutally doing - not caling pam_open_session when sshd
doesn't have a tty.  pam_open_session on Solaris is not broken, it is
just that without the patch the pam_sm_open_session in pam_unix assumes
that it is only ever called with a valid PAM_TTY - that was a bug.

--
Darren J Moffat




More information about the openssh-unix-dev mailing list