What is print_pam_messages() used for ?

[Ralf Hack]

Darren,

Thanks for looking into this.

>NEW_AUTHTOK_REQD should be fixed in -current for SSHv2 
>keyboard-interactive authentication (it works for me on my test 
>platforms, but you may not get all of the messages on Solaris or 
>HP-UX yet).

It did work fine for me (using pam_ldap on freebsd 4.7 -- mind, with 
a customised libc since nsswitch isn't implemented on 4.7). I just 
never got the messages associated, such as 'You are required to 
change your password immediately.'

>print_pam_messages had been more or less superceded by the generic 
>Buffer loginmsg.  There's still a couple more loginmsg changes I 
>hope to make, after which print_pam_messages() should be gone 
>altogether.
>
>>     By any chance, is someone working on a patch to show these 
>>warning messages ?

I figured that you do something smart there, hence my query.

>There have been changes since 3.7.1p2 to allow the display of 
>messages from session modules, and the remaining messages after 
>challenge-response authentication.  I'm not sure if those will 
>include your messages from pam_ldap, but if you haven't already, 
>please try a recent snapshot.
>(ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/)

I will try it. However, the messages are created in 
do_pam_account()->pam_acct_mgmt(). Unlike other parts, this one does 
not have a conversation function installed. Therefore, I doubt that 
you will receive these messages in the first place.

I also noticed that I couldn't convince you yet that HAVE_SETPCRED 
and USE_PAM are mutually exclusive in session.c:do_setusercontext(). 
On the danger that you won't trust my bug reports for the rest of my 
life, this is true. The #ifdefs are staggered so that USE_PAM is 
_only_ in the #else branch of HAVE_SETPCRED. I spiced to code with 
#errors to proof it to myself.

Ralf.