Only one chance to enter a new password?

Richard Dickens Richard.Dickens at
Mon Jan 23 22:35:25 EST 2006


The UsePrivilegeSeparation issue was one that I reported to this list in
Nov 2004. It was to do with authorization messages not getting
syslogged. Here's what you wrote at the time:

>The reason it's not logged is privsep: the packet_disconnect and logit
call happen in the unprivileged child >(which is chrooted and doesn't
have access to /dev/log).  Trying it with UsePrivilegeSeparation=no has
>messages logged OK.  Not sure how to fix it for privsep=yes, other than
adding a /dev/log to the chroot.

Regarding the patch, it may take me a while to find somewhere to build
the change. Stay tuned!


-----Original Message-----
From: Darren Tucker [mailto:dtucker at] 
Sent: 23 January 2006 11:22
To: Richard Dickens
Cc: openssh-unix-dev at
Subject: Re: Only one chance to enter a new password?

On Mon, Jan 23, 2006 at 10:16:09AM +0000, Richard Dickens wrote:
> UsePAM yes
> UsePrivilegeSeparation no

OK, think I see what's going on.  It's a non-issue for command line
clients since the message will remain on the screen.

Please try the attached 3-chance patch (against -current but should
apply to 4.2p1 as well).

> UsePrivilegeSeparation no is used to make sure messages get logged.

Could you please elaborate on that?  As far as possible, sshd should
behave the same with or without privsep wrt PAM, so I want to figure out
if it's a known issue or something new.

Index: auth-pam.c
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
retrieving revision 1.127
diff -u -p -r1.127 auth-pam.c
--- auth-pam.c	28 Sep 2005 12:33:27 -0000	1.127
+++ auth-pam.c	23 Jan 2006 11:15:04 -0000
@@ -979,6 +979,8 @@ static struct pam_conv tty_conv = { sshp  void
+	int count = 0;
 	if (use_privsep)
 		fatal("Password expired (unable to change with
 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, @@ -987,10
+989,16 @@ do_pam_chauthtok(void)
 		fatal("PAM: failed to set PAM_CONV: %s",
 		    pam_strerror(sshpam_handle, sshpam_err));
 	debug("PAM: changing password");
-	sshpam_err = pam_chauthtok(sshpam_handle,
-	if (sshpam_err != PAM_SUCCESS)
-		fatal("PAM: pam_chauthtok(): %s",
-		    pam_strerror(sshpam_handle, sshpam_err));
+	do {
+		sshpam_err = pam_chauthtok(sshpam_handle,
+		fprintf(stderr, "Password change: %s\n",
+		    pam_strerror(sshpam_handle, sshpam_err));
+		if (sshpam_err == PAM_SUCCESS)
+			return;
+	} while (count++ < 3);
+	fatal("PAM: pam_chauthtok(): %s",
+	    pam_strerror(sshpam_handle, sshpam_err));

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

To find out more about Reuters visit

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

More information about the openssh-unix-dev mailing list