PAM_AUTH_ERR messages

Darren Tucker dtucker at
Sun May 1 12:04:53 EST 2005

Sean wrote:
> On Sat, April 30, 2005 11:58 am, David Leonard said:
>>I'm seeing the same problem being hit here. (4.0p1 keyboard-interactive)
>>Our pam module believes that calling through the pam_conv (during auth,
>>and just before returning PAM_AUTH_ERR) will display an important message
>>to the user. But it doesn't, and it causes confusion.
> Yes exactly.  It's interesting that the PAM module works just as expected
> with telnetd.  openssh just handles it differently.

That's because the SSH{1,2} protocols are fundamentally different to a 
telnet session.  (PAM's API makes it tricky to use for SSH too, however 
that's a separate rant.)

>>I'd love to see a fix for it too, though I think adding a delay is
> Perhaps it could be configurable.  The only reason for the suggestion is
> that some clients (Putty in this case)  are configured to auto close the
> window on disconnection.   The idea was to make sure the user had time to
> read the message, but a "press enter to continue..." type thing would work
> too.

You can hack a fflush and sleep into session.c but I don't think it 
should be yet another sshd option.  If the user has configured the 
client to close immediately, taking any useful information with it then 
that's their problem.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list