Darren Tucker
2004-Jun-29 12:34 UTC
Debian bug #236814: sshd+PAM: MOTD isn't printed when privsep=no
Hi. If sshd is configured to use PAM and UsePrivilegeSeparation=no or you are logging is as root, any messages returned by PAM session modules are not displayed to the user. (Even when the config file has privsep=yes, logging in as root disables privsep anyway since there's no point, so it behaves the same way as privsep=no). I think I've figured out why: when privsep=no, do_pam_session is called *after* display_loginmsg, so the PAM messages are stored too late to be displayed to the user. One option would be to move display_loginmsg later, but that would change the message order on other platforms, so the attached patch just adds another call after do_setusercontext (the buffer is cleared after each, so there won't be duplicate messages). It would also be possible to use pam_tty_conv for privsep=no if we have a tty. This would allow a session module that needs to interact with the user to work too, but it would require more surgery to do_setusercontext and do_pam_session (we can do this too if there's a need). The patch is against -current but it looks like it will apply cleanly to 3.8.1p1 too. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-pam-privsep-msg.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040629/47e46b71/attachment.ksh
Reasonably Related Threads
- [Bug 354] New: sshd with privsep doesn't do pam session setup properly
- OpenSSH 3.9p1 bug, .hushlogin is ignored
- [PATCH] Make PAM chauthtok_conv function into tty_conv
- BSD/OS with privsep
- bug in OpenSSH_4.3p2: pam_open_session() called but not close for root users