PAM_AUTH_ERR messages

Darren Tucker dtucker at
Sun May 1 11:56:36 EST 2005

David Leonard wrote:
>>Sean wrote:
>>>There seems to be no way for PAM to inform a user why her ssh login
>>>attempt is being denied.   Niether PAM_TEXT_INFO or PAM_ERROR_MSG
>>>conversation messages are passed on to the user by sshd unless the login
>>>is successful.   This is causing great frustration for us at several sites
>>>where users can't figure out why their logins aren't working.
> I'm seeing the same problem being hit here. (4.0p1 keyboard-interactive)
> Our pam module believes that calling through the pam_conv (during auth,
> and just before returning PAM_AUTH_ERR) will display an important message
> to the user. But it doesn't, and it causes confusion.

OK, this is a separate problem to the one Sean is having.

I had a patch a while back that worked around this by sedning kbdint 
packets with text but no prompt, however the patch was truly evil.

Using a ssh2 banner message might be a viable option for this too.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list