Debian bug #236814: sshd+PAM: MOTD isn't printed when privsep=no
Darren Tucker
dtucker at zip.com.au
Tue Jun 29 22:34:29 EST 2004
Hi.
If sshd is configured to use PAM and UsePrivilegeSeparation=no or you
are logging is as root, any messages returned by PAM session modules are
not displayed to the user. (Even when the config file has privsep=yes,
logging in as root disables privsep anyway since there's no point, so it
behaves the same way as privsep=no).
I think I've figured out why: when privsep=no, do_pam_session is called
*after* display_loginmsg, so the PAM messages are stored too late to be
displayed to the user.
One option would be to move display_loginmsg later, but that would
change the message order on other platforms, so the attached patch just
adds another call after do_setusercontext (the buffer is cleared after
each, so there won't be duplicate messages).
It would also be possible to use pam_tty_conv for privsep=no if we have
a tty. This would allow a session module that needs to interact with
the user to work too, but it would require more surgery to
do_setusercontext and do_pam_session (we can do this too if there's a need).
The patch is against -current but it looks like it will apply cleanly
to 3.8.1p1 too.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-pam-privsep-msg.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040629/47e46b71/attachment.ksh
More information about the openssh-unix-dev
mailing list