SecureComputing's PAM library doesn't pass back the correct context to the pam_conversation function, i.e. it passes back NULL. So this patch works around this fact. likely you'll only want this hack if you expect to use pam_safeword.so in your authentication check, and only if you run sshd in privilege separation (separate process) mode so that the PAM conversation is single threaded. The second patch is for the solaris package builder to turn allow pam to be automatically turned on for install. --- auth-pam.c 2004/02/26 19:35:52 1.1.1.1 +++ auth-pam.c 2004/02/27 00:26:00 @@ -124,7 +124,10 @@ int pam_csock; int pam_done; }; +static struct pam_ctxt *sshpam_ctxt; /* hack for pam library not passing back + ctxt */ + static void sshpam_free_ctx(void *); /* @@ -142,6 +145,10 @@ *resp = NULL; ctxt = data; + if ( ctxt == NULL ) + { + ctxt = sshpam_ctxt; + } if (n <= 0 || n > PAM_MAX_NUM_MSG) return (PAM_CONV_ERR); @@ -221,6 +228,7 @@ sshpam_conv.conv = sshpam_thread_conv; sshpam_conv.appdata_ptr = ctxt; + sshpam_ctxt = ctxt; buffer_init(&buffer); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, --- contrib/solaris/buildpkg.sh 2004/02/26 19:35:55 1.1.1.1 +++ contrib/solaris/buildpkg.sh 2004/02/27 00:27:00 @@ -18,14 +18,15 @@ # with a real OpenSSH package on a system. This is not needed on systems # that support the -R option to pkgadd. #TEST_DIR=/var/tmp # leave commented out for production build PKGNAME=OpenSSH SYSVINIT_NAME=opensshd MAKE=${MAKE:="make"} SSHDUID=67 # Default privsep uid SSHDGID=67 # Default privsep gid # uncomment these next two as needed #PERMIT_ROOT_LOGIN=no #X11_FORWARDING=yes +#USEPAM=yes # list of system directories we do NOT want to change owner/group/perms # when installing our package SYSTEM_DIR="/etc \ @@ -143,6 +144,9 @@ $FAKE_ROOT/${sysconfdir}/sshd_config [ "${X11_FORWARDING}" = yes ] && \ perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +[ "${USEPAM}" = yes ] && \ + perl -p -i -e "s/#UsePAM yes/UsePAM yes/" \ $FAKE_ROOT/${sysconfdir}/sshd_config # fix PrintMotd perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \