PAM patch for openssh 3.7.1p2

Case Larsen CTLarsen at lbl.gov
Fri Feb 27 11:35:08 EST 2004 

SecureComputing's  PAM library doesn't pass back the correct context to 
the pam_conversation function, i.e. it passes back NULL.  So this patch 
works around this fact.

likely you'll only want this hack if you expect to use pam_safeword.so 
in your authentication check, and only if you run sshd in privilege 
separation (separate process) mode so that the PAM conversation is 
single threaded.

The second patch is for the solaris package builder to turn allow pam 
to be automatically turned on for install.

--- auth-pam.c  2004/02/26 19:35:52     1.1.1.1
+++ auth-pam.c  2004/02/27 00:26:00
@@ -124,7 +124,10 @@
         int              pam_csock;
         int              pam_done;
  };
+static struct pam_ctxt *sshpam_ctxt; /* hack for pam library not 
passing back
+                                       ctxt */

+
  static void sshpam_free_ctx(void *);

  /*
@@ -142,6 +145,10 @@
         *resp = NULL;

         ctxt = data;
+       if ( ctxt == NULL )
+       {
+           ctxt = sshpam_ctxt;
+       }
         if (n <= 0 || n > PAM_MAX_NUM_MSG)
                 return (PAM_CONV_ERR);

@@ -221,6 +228,7 @@

         sshpam_conv.conv = sshpam_thread_conv;
         sshpam_conv.appdata_ptr = ctxt;
+       sshpam_ctxt = ctxt;

         buffer_init(&buffer);
         sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,


--- contrib/solaris/buildpkg.sh 2004/02/26 19:35:55     1.1.1.1
+++ contrib/solaris/buildpkg.sh 2004/02/27 00:27:00
@@ -18,14 +18,15 @@
  # with a real OpenSSH package on a system. This is not needed on 
systems
  # that support the -R option to pkgadd.
  #TEST_DIR=/var/tmp     # leave commented out for production build
PKGNAME=OpenSSH
SYSVINIT_NAME=opensshd
  MAKE=${MAKE:="make"}
  SSHDUID=67     # Default privsep uid
  SSHDGID=67     # Default privsep gid
  # uncomment these next two as needed
  #PERMIT_ROOT_LOGIN=no
#X11_FORWARDING=yes
+#USEPAM=yes
  # list of system directories we do NOT want to change owner/group/perms
  # when installing our package
  SYSTEM_DIR="/etc       \
@@ -143,6 +144,9 @@
                 $FAKE_ROOT/${sysconfdir}/sshd_config
  [ "${X11_FORWARDING}" = yes ]  &&  \
         perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
+               $FAKE_ROOT/${sysconfdir}/sshd_config
+[ "${USEPAM}" = yes ]  &&  \
+       perl -p -i -e "s/#UsePAM yes/UsePAM yes/" \
                 $FAKE_ROOT/${sysconfdir}/sshd_config
  # fix PrintMotd
  perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \

More information about the openssh-unix-dev mailing list