PAM sessions and conversation functions

Darren J Moffat Darren.Moffat at Sun.COM
Wed Sep 24 10:12:22 EST 2003

On Tue, 23 Sep 2003, Colin Watson wrote:

> In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function,
> do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2,
> this is no longer the case: session modules run with a conversation
> function that just returns PAM_CONV_ERR. This means that simple session
> modules whose job involves printing text on the user's terminal no
> longer work: pam_lastlog, pam_mail, and pam_motd.

For the "password" authentication that is perfectly correct behaviour
because there is no where to send that output at that time.

For keyboard-interactive you can print the messages so that can have a
"real" conversation function.

Darren J Moffat

More information about the openssh-unix-dev mailing list