Buffer flush when using pam_info

Felix Rubio felix at kngnt.org
Fri Mar 31 19:44:12 AEDT 2017 

Hi all,

    I had posted a related question to pam developers list, but I have 
continued investigating and seems to be a question for this mailing 
list. I have a script to be used by pam_exec when logging into a system 
through openssh client. This script writes a message in its stdout, that 
is passed to ssh_thread_conv(auth-pam.c) by a call to pam_info, in 
pam_exec.so. The message is passed to ssh_msg_send, which issues a write 
into the corresponent file descriptor.

    The problem is: I never get to see that message in the ssh client. 
OTOH, if I modify pam_exec module to issue a pam_prompt instead of a 
pam_info, the message appears on the ssh client. The relevant code for 
both functionalities in auth-pam.c is:

static int
sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
     struct pam_response **resp, void *data)
{
  .....
                 case PAM_PROMPT_ECHO_OFF:
                 case PAM_PROMPT_ECHO_ON:
                         buffer_put_cstring(&buffer,
                             PAM_MSG_MEMBER(msg, i, msg));
                         if (ssh_msg_send(ctxt->pam_csock,
                             PAM_MSG_MEMBER(msg, i, msg_style), &buffer) 
== -1)
                                 goto fail;
                         if (ssh_msg_recv(ctxt->pam_csock, &buffer) == 
-1)
                                 goto fail;
                         if (buffer_get_char(&buffer) != PAM_AUTHTOK)
                                 goto fail;
                         reply[i].resp = buffer_get_string(&buffer, 
NULL);
                         break;
                 case PAM_ERROR_MSG:
                 case PAM_TEXT_INFO:
                         buffer_put_cstring(&buffer,
                             PAM_MSG_MEMBER(msg, i, msg));
                         if (ssh_msg_send(ctxt->pam_csock,
                             PAM_MSG_MEMBER(msg, i, msg_style), &buffer) 
== -1)
                                 goto fail;
                         break;
.....
}

As can be seen, the only difference (I have also checked the contents of 
ssh_msg_send) is in the fact that, when pam_prompt is used, a 
ssh_msg_send is followed by a ssh_msg_recv, whereas for a pam_info, only 
the ssh_msg_send is performed.

The OpenSSH version is 7.5p1, and the operating system is CentOS7.3.

Can somebody advice on whether this is a client or a server issue, 
and... yeah.. what can I do?

Thank you!
Felix

-- 
Felix Rubio
"Don't believe what you're told. Double check."

More information about the openssh-unix-dev mailing list