New PAM code landing (at last)

Frank Cusack fcusack at
Mon May 12 13:34:17 EST 2003

On Sat, May 10, 2003 at 07:20:58PM +1000, Damien Miller wrote:
> The long-mooted PAM merge from FreeBSD is starting _now_. This replaces
> the PAM password auth kludge that we have used until now with a discrete
> challenge-response module. This module is invoked via
> keyboard-interactive for protocol 2 or TIS auth for protocol 1.
> Warning: this is a large change and will probably break things. It has
> only been tested with basic password auth modules and not at all (by me)
> on non-Linux systems (I put out test requests on snapshots of this, but
> nobody responded...)

Actually, I did respond, and we got into an argument about it.  Although,
I didn't have an opportunity to actually test it, and I guess no one
else did either.

I don't see what's wrong with the existing code.  Especially when you
say the new code "will probably break things".  Now I have to study
this new code and port my bugfixes all over again. :-)

I tried to download, but the latest snapshot (20030409) doesn't contain
the PAM bits, and appears to be down.  I took some
time to look at the snapshot you offered previously (20030123) and found
three problems:

- kbdint authentication cannot be abandoned
- print_pam_messages() doesn't do anything!
- sshpam_query() sends the client only one pam prompt at a time;
  this is explicitly mentioned as wrong in the kbdint draft.

As to pam_*_session(), in this new code, the auth bits run in the
monitor and communicate with the unpriv child via a socket.  Seeing
that, I assumed pam_*_session() would have been setup to do the same.
The problem seems pretty easy now that the plumbing is in place.


More information about the openssh-unix-dev mailing list