openssh unix dev - Jan 2004 - What is print_pam_messages() used for ?

Hi,
	I was investigating why I don't see any warnings from 
pam_ldap indicating the pending expiration of passwords as well as 
for PAM_NEW_AUTHTOK_REQD. Eventually, I found that do_pam_account() 
does not have a conversation function. Also, there is a function 
print_pam_messages (currently empty) which look suspiciously like it 
is ear marked to show just those error messages:

/* auth-pam.c */
void print_pam_messages(void)
{
	/* XXX */
}

	By any chance, is someone working on a patch to show these 
warning messages ?

Thanks.

Ralf.

Ralf Hack wrote:
>     I was investigating why I don't see any warnings from pam_ldap 
> indicating the pending expiration of passwords as well as for 
> PAM_NEW_AUTHTOK_REQD. Eventually, I found that do_pam_account() does not 
> have a conversation function.
NEW_AUTHTOK_REQD should be fixed in -current for SSHv2 
keyboard-interactive authentication (it works for me on my test 
platforms, but you may not get all of the messages on Solaris or HP-UX yet).

 > Also, there is a function
> print_pam_messages (currently empty) which look suspiciously like it is 
> ear marked to show just those error messages:
> 
> /* auth-pam.c */
> void print_pam_messages(void)
> {
>     /* XXX */
> }
print_pam_messages had been more or less superceded by the generic 
Buffer loginmsg.  There's still a couple more loginmsg changes I hope to 
make, after which print_pam_messages() should be gone altogether.
>     By any chance, is someone working on a patch to show these warning 
> messages ?
There have been changes since 3.7.1p2 to allow the display of messages 
from session modules, and the remaining messages after 
challenge-response authentication.  I'm not sure if those will include 
your messages from pam_ldap, but if you haven't already, please try a 
recent snapshot.
(ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

>Ralf Hack wrote:
>>  midnight emailing typo: Replace HAVE_SETPCRED with HAVE_LOGIN_CAP 
>>in my previous email. HAVE_LOGIN_CAP does have an #else branch and 
>>it does have USE_PAM _only_ in the #else branch. Sorry for the 
>>confusion.
>
>It would seem that if UsePam=yes, then pam_setcred should be used, 
>otherwise setusercontext?  Or should both be used when PAM is 
>enabled?
>
>Previous thread:
>http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106924211427843
>
Sorry if I miss your question, not quite sure if I am with you yet.

My concern was that do_pam_session() does not get called on FreeBSD. 
So I did patch the code to call both do_pam_session() and 
do_pam_setcred(0) in a mirror to the other (#else) part.  It is my 
understanding of PAM and the involved functions, that calling 
do_pam_setcred() often is a good thing. And there seem to be no 
adverse effects since I start using this change on FreeBSD.

Ralf.