What is print_pam_messages() used for ?

Darren Tucker dtucker at zip.com.au
Fri Jan 16 21:39:19 EST 2004

Ralf Hack wrote:
>> For sshv2, do_pam_account is called by sshpam_thread which has already 
>> set the conversation function to sshpam_thread_conv, so the messages 
>> should go to the keyboard-interactive device.  Currently, however, the 
>> messages returned with the failure will not, since the kbdint 
>> conversation ends as soon as the authentication fails.  I'm not sure 
>> what to do about that.
> The user is allowed to change his/her own password. Naturally, that 
> implies the authentication has gone through successfully.
> I am considering to patch the code using the same conversation function  
> in do_pam_account that is used in do_pam_session (tty_conv). In your 
> considered opinion, will that work ?

Probably not, since do_pam_account is called from the monitor way before 
stdin/out gets connected to the user.  What you'll probably end up with 
is the messages appearing amongst the server-side debug output when the 
server is running in debug mode.

What might work is a conversation function that just stores the messages 
and a way to retrieve them from the monitor (I've got some patches 
around that do the latter, but it's probably not trivial).

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list