Regarding PAM_TTY_KLUDGE and Solaris 8...

Damien Miller djm at
Fri Oct 26 11:33:16 EST 2001

On Thu, 25 Oct 2001, Ed Phillips wrote:

> However, I think a change should be made so that pam_chauthtok() is not
> called if we don't have a real TTY.

> Is there anything I'm missing?

The fact that pam_chauthtok was never getting called without a tty 
anyway.  Look at the code path in session.c. The do_pam_chauthtok() call 
was only being made for the tty case.

If there is a problem, it is that accounts with expired passwords were
still able to execute commands. Please try the patch below for this.

Index: session.c
RCS file: /var/cvs/openssh/session.c,v
retrieving revision 1.154
diff -u -r1.154 session.c
--- session.c	2001/10/12 01:35:51	1.154
+++ session.c	2001/10/26 01:30:29
@@ -432,6 +432,9 @@
 #if defined(USE_PAM)
 	do_pam_session(s->pw->pw_name, NULL);
+	if (is_pam_password_change_required())
+		packet_disconnect("Password change required but no "
+		    "TTY available");
 #endif /* USE_PAM */
 	/* Fork the child. */

| By convention there is color,       \\ Damien Miller <djm at>
| By convention sweetness, By convention bitterness, \\
| But in reality there are atoms and space - Democritus (c. 400 BCE)

More information about the openssh-unix-dev mailing list