Debian bug #236814: sshd+PAM: MOTD isn't printed when privsep=no

Darren Tucker dtucker at zip.com.au
Tue Jun 29 22:34:29 EST 2004


Hi.
	If sshd is configured to use PAM and UsePrivilegeSeparation=no or you 
are logging is as root, any messages returned by PAM session modules are 
not displayed to the user.  (Even when the config file has privsep=yes, 
logging in as root disables privsep anyway since there's no point, so it 
behaves the same way as privsep=no).

	I think I've figured out why: when privsep=no, do_pam_session is called 
*after* display_loginmsg, so the PAM messages are stored too late to be 
displayed to the user.

	One option would be to move display_loginmsg later, but that would 
change the message order on other platforms, so the attached patch just 
adds another call after do_setusercontext (the buffer is cleared after 
each, so there won't be duplicate messages).

	It would also be possible to use pam_tty_conv for privsep=no if we have 
a tty.  This would allow a session module that needs to interact with 
the user to work too, but it would require more surgery to 
do_setusercontext and do_pam_session (we can do this too if there's a need).

	The patch is against -current but it looks like it will apply cleanly 
to 3.8.1p1 too.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-pam-privsep-msg.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040629/47e46b71/attachment.ksh 


More information about the openssh-unix-dev mailing list