- (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv,

   and use it for do_pam_session.  Fixes problems like pam_motd not displaying
   anything.  ok djm@

diff --git a/ChangeLog b/ChangeLog
index 3282e943ab52674bb632065e13f762fbfb33671c..06e9fe927760c1b048a69e6ab404774ead04fcbb 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
-20031117
+20031118
  - (djm) Fix early exit for root auth success when UsePAM=yes and 
    PermitRootLogin=no
+ - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv,
+   and use it for do_pam_session.  Fixes problems like pam_motd not displaying
+   anything.  ok djm@
 
 20031117
  - (djm) OpenBSD CVS Sync

diff --git a/auth-pam.c b/auth-pam.c
index e5ee5802252bd4b34537c1506666e5ee5ebed527..056e9aae39b0854e815179ceba2066da50851f89 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -52,6 +52,7 @@ RCSID("$Id$");
 #include "auth-options.h"
 
 extern ServerOptions options;
+extern Buffer loginmsg;
 
 #define __unused
 
@@ -497,13 +498,9 @@ sshpam_query(void *ctx, char **name, char **info,
                case PAM_AUTH_ERR:
                        if (**prompts != NULL) {
                                /* drain any accumulated messages */
-#if 0 /* XXX - not compatible with privsep */
-                               packet_start(SSH2_MSG_USERAUTH_BANNER);
-                               packet_put_cstring(**prompts);
-                               packet_put_cstring("");
-                               packet_send();
-                               packet_write_wait();
-#endif
+                               debug("PAM: %s", **prompts);
+                               buffer_append(&loginmsg, **prompts,
+                                   strlen(**prompts));
                                xfree(**prompts);
                                **prompts = NULL;
                        }
@@ -630,21 +627,6 @@ do_pam_account(void)
        return (1);
 }
 
-void
-do_pam_session(void)
-{
-       sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 
-           (const void *)&null_conv);
-       if (sshpam_err != PAM_SUCCESS)
-               fatal("PAM: failed to set PAM_CONV: %s",
-                   pam_strerror(sshpam_handle, sshpam_err));
-       sshpam_err = pam_open_session(sshpam_handle, 0);
-       if (sshpam_err != PAM_SUCCESS)
-               fatal("PAM: pam_open_session(): %s",
-                   pam_strerror(sshpam_handle, sshpam_err));
-       sshpam_session_open = 1;
-}
-
 void
 do_pam_set_tty(const char *tty)
 {
@@ -691,7 +673,7 @@ is_pam_password_change_required(void)
 }
 
 static int
-pam_chauthtok_conv(int n, const struct pam_message **msg,
+pam_tty_conv(int n, const struct pam_message **msg,
     struct pam_response **resp, void *data)
 {
        char input[PAM_MAX_MSG_SIZE];
@@ -700,7 +682,7 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
 
        *resp = NULL;
 
-       if (n <= 0 || n > PAM_MAX_NUM_MSG)
+       if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO))
                return (PAM_CONV_ERR);
 
        if ((reply = malloc(n * sizeof(*reply))) == NULL)
@@ -742,6 +724,8 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
        return (PAM_CONV_ERR);
 }
 
+static struct pam_conv tty_conv = { pam_tty_conv, NULL };
+
 /*
  * XXX this should be done in the authentication phase, but ssh1 doesn't
  * support that
@@ -749,15 +733,10 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
 void
 do_pam_chauthtok(void)
 {
-       struct pam_conv pam_conv;
-
-       pam_conv.conv = pam_chauthtok_conv;
-       pam_conv.appdata_ptr = NULL;
-
        if (use_privsep)
                fatal("Password expired (unable to change with privsep)");
        sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-           (const void *)&pam_conv);
+           (const void *)&tty_conv);
        if (sshpam_err != PAM_SUCCESS)
                fatal("PAM: failed to set PAM_CONV: %s",
                    pam_strerror(sshpam_handle, sshpam_err));
@@ -768,6 +747,21 @@ do_pam_chauthtok(void)
                    pam_strerror(sshpam_handle, sshpam_err));
 }
 
+void
+do_pam_session(void)
+{
+       sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 
+           (const void *)&tty_conv);
+       if (sshpam_err != PAM_SUCCESS)
+               fatal("PAM: failed to set PAM_CONV: %s",
+                   pam_strerror(sshpam_handle, sshpam_err));
+       sshpam_err = pam_open_session(sshpam_handle, 0);
+       if (sshpam_err != PAM_SUCCESS)
+               fatal("PAM: pam_open_session(): %s",
+                   pam_strerror(sshpam_handle, sshpam_err));
+       sshpam_session_open = 1;
+}
+
 /* 
  * Set a PAM environment string. We need to do this so that the session
  * modules can handle things like Kerberos/GSI credentials that appear