PAM_AUTH_ERR messages
Darren Tucker
dtucker at zip.com.au
Sun May 1 12:04:53 EST 2005
Sean wrote:
> On Sat, April 30, 2005 11:58 am, David Leonard said:
>>I'm seeing the same problem being hit here. (4.0p1 keyboard-interactive)
>>
>>Our pam module believes that calling through the pam_conv (during auth,
>>and just before returning PAM_AUTH_ERR) will display an important message
>>to the user. But it doesn't, and it causes confusion.
>
> Yes exactly. It's interesting that the PAM module works just as expected
> with telnetd. openssh just handles it differently.
That's because the SSH{1,2} protocols are fundamentally different to a
telnet session. (PAM's API makes it tricky to use for SSH too, however
that's a separate rant.)
>>I'd love to see a fix for it too, though I think adding a delay is
>>unnecessary.
>
> Perhaps it could be configurable. The only reason for the suggestion is
> that some clients (Putty in this case) are configured to auto close the
> window on disconnection. The idea was to make sure the user had time to
> read the message, but a "press enter to continue..." type thing would work
> too.
You can hack a fflush and sleep into session.c but I don't think it
should be yet another sshd option. If the user has configured the
client to close immediately, taking any useful information with it then
that's their problem.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list