search for: pam_tty_conv

Hi All. Attached is a patch that converts pam_chauthtok_conv into a generic pam_tty_conv, which is used rather than null_conv for do_pam_session. This allows, for example, display of messages from PAM session modules. The accumulation of PAM messages into loginmsg won't help until there is a way to collect loginmsg from the monitor (see, eg, the patches for bug #463). This is b...

...One option would be to move display_loginmsg later, but that would change the message order on other platforms, so the attached patch just adds another call after do_setusercontext (the buffer is cleared after each, so there won't be duplicate messages). It would also be possible to use pam_tty_conv for privsep=no if we have a tty. This would allow a session module that needs to interact with the user to work too, but it would require more surgery to do_setusercontext and do_pam_session (we can do this too if there's a need). The patch is against -current but it looks like it will ap...

...e login process, this function is only used for pam_chauthtok() in some cases, and always after sshd has forked to set up for the user's shell. The code for the chauthtok looks like this (from OpenSSH 3.8.1p1's do_pam_chauthtok() in auth-pam.c): static struct pam_conv tty_conv = { pam_tty_conv, NULL }; [...] sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&tty_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); debug("PAM: changing passw...