What is print_pam_messages() used for ?
Darren Tucker
dtucker at zip.com.au
Fri Jan 16 21:39:19 EST 2004
Ralf Hack wrote:
>> For sshv2, do_pam_account is called by sshpam_thread which has already
>> set the conversation function to sshpam_thread_conv, so the messages
>> should go to the keyboard-interactive device. Currently, however, the
>> messages returned with the failure will not, since the kbdint
>> conversation ends as soon as the authentication fails. I'm not sure
>> what to do about that.
>
>
> The user is allowed to change his/her own password. Naturally, that
> implies the authentication has gone through successfully.
>
> I am considering to patch the code using the same conversation function
> in do_pam_account that is used in do_pam_session (tty_conv). In your
> considered opinion, will that work ?
Probably not, since do_pam_account is called from the monitor way before
stdin/out gets connected to the user. What you'll probably end up with
is the messages appearing amongst the server-side debug output when the
server is running in debug mode.
What might work is a conversation function that just stores the messages
and a way to retrieve them from the monitor (I've got some patches
around that do the latter, but it's probably not trivial).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list