Buffer flush when using pam_info

Felix Rubio felix at kngnt.org
Sat Apr 1 02:03:17 AEDT 2017 

I think I have started to understand: pam_info messages (together with 
pam_error messages) are packed together into SSH2_MSG_USERAUTH_BANNER 
messages. I have not checked it yet but, probably the pam_prompt 
triggers either the sent of this message to client, or the display of 
these messages in the client.

Can somebody tell me if this is the case? What I am trying to do is: I 
have a script that produces a URL that is supposed to be sent to the 
client, and wait while polling a web service. When the user has 
authenticated on this server, the script is notified and returns zero or 
one. Therefore, I need to find a way to send a string to the ssh client, 
and have it display this string.

Thank you for your time,
Felix

---
Felix Rubio
"Don't believe what you're told. Double check."

On 2017-03-31 10:44, Felix Rubio wrote:
> Hi all,
> 
>    I had posted a related question to pam developers list, but I have
> continued investigating and seems to be a question for this mailing
> list. I have a script to be used by pam_exec when logging into a
> system through openssh client. This script writes a message in its
> stdout, that is passed to ssh_thread_conv(auth-pam.c) by a call to
> pam_info, in pam_exec.so. The message is passed to ssh_msg_send, which
> issues a write into the corresponent file descriptor.
> 
>    The problem is: I never get to see that message in the ssh client.
> OTOH, if I modify pam_exec module to issue a pam_prompt instead of a
> pam_info, the message appears on the ssh client. The relevant code for
> both functionalities in auth-pam.c is:
> 
> static int
> sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
>     struct pam_response **resp, void *data)
> {
>  .....
>                 case PAM_PROMPT_ECHO_OFF:
>                 case PAM_PROMPT_ECHO_ON:
>                         buffer_put_cstring(&buffer,
>                             PAM_MSG_MEMBER(msg, i, msg));
>                         if (ssh_msg_send(ctxt->pam_csock,
>                             PAM_MSG_MEMBER(msg, i, msg_style), &buffer) 
> == -1)
>                                 goto fail;
>                         if (ssh_msg_recv(ctxt->pam_csock, &buffer) == 
> -1)
>                                 goto fail;
>                         if (buffer_get_char(&buffer) != PAM_AUTHTOK)
>                                 goto fail;
>                         reply[i].resp = buffer_get_string(&buffer, 
> NULL);
>                         break;
>                 case PAM_ERROR_MSG:
>                 case PAM_TEXT_INFO:
>                         buffer_put_cstring(&buffer,
>                             PAM_MSG_MEMBER(msg, i, msg));
>                         if (ssh_msg_send(ctxt->pam_csock,
>                             PAM_MSG_MEMBER(msg, i, msg_style), &buffer) 
> == -1)
>                                 goto fail;
>                         break;
> .....
> }
> 
> As can be seen, the only difference (I have also checked the contents
> of ssh_msg_send) is in the fact that, when pam_prompt is used, a
> ssh_msg_send is followed by a ssh_msg_recv, whereas for a pam_info,
> only the ssh_msg_send is performed.
> 
> The OpenSSH version is 7.5p1, and the operating system is CentOS7.3.
> 
> Can somebody advice on whether this is a client or a server issue,
> and... yeah.. what can I do?
> 
> Thank you!
> Felix

More information about the openssh-unix-dev mailing list