PAM sessions and conversation functions

Colin Watson cjwatson at debian.org
Wed Sep 24 08:56:29 EST 2003


In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function,
do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2,
this is no longer the case: session modules run with a conversation
function that just returns PAM_CONV_ERR. This means that simple session
modules whose job involves printing text on the user's terminal no
longer work: pam_lastlog, pam_mail, and pam_motd.

Can somebody explain to me why this change was made (as part of the
FreeBSD PAM merge, apparently), or if it was a mistake? I realize that
session modules are now run as root, but I'd have thought that modules
should be trusted code and don't need to have their output sanitized.

Thanks,

-- 
Colin Watson                                       [cjwatson at debian.org]




More information about the openssh-unix-dev mailing list