2 files changed, 75 insertions, 30 deletions

diff --git a/auth-pam.c b/auth-pam.c
index 8ffc1a587..b9f82a1d4 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -52,6 +52,7 @@ RCSID("$Id: auth-pam.c,v 1.72.2.2 2003/09/23 09:24:21 djm Exp $");
 #include "auth-options.h"
 
 extern ServerOptions options;
+extern Buffer loginmsg;
 
 #define __unused
 
@@ -419,13 +420,9 @@ sshpam_query(void *ctx, char **name, char **info,
                 case PAM_AUTH_ERR:
                         if (**prompts != NULL) {
                                 /* drain any accumulated messages */
-#if 0 /* XXX - not compatible with privsep */
-                                packet_start(SSH2_MSG_USERAUTH_BANNER);
-                                packet_put_cstring(**prompts);
-                                packet_put_cstring("");
-                                packet_send();
-                                packet_write_wait();
-#endif
+                                debug("PAM: %s", **prompts);
+                                buffer_append(&loginmsg, **prompts,
+                                    strlen(**prompts));
                                 xfree(**prompts);
                                 **prompts = NULL;
                         }
@@ -550,21 +547,6 @@ do_pam_account(void)
 }
 
 void
-do_pam_session(void)
-{
-        sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 
-            (const void *)&null_conv);
-        if (sshpam_err != PAM_SUCCESS)
-                fatal("PAM: failed to set PAM_CONV: %s",
-                    pam_strerror(sshpam_handle, sshpam_err));
-        sshpam_err = pam_open_session(sshpam_handle, 0);
-        if (sshpam_err != PAM_SUCCESS)
-                fatal("PAM: pam_open_session(): %s",
-                    pam_strerror(sshpam_handle, sshpam_err));
-        sshpam_session_open = 1;
-}
-
-void
 do_pam_set_tty(const char *tty)
 {
         if (tty != NULL) {
@@ -610,7 +592,7 @@ is_pam_password_change_required(void)
 }
 
 static int
-pam_chauthtok_conv(int n, const struct pam_message **msg,
+pam_tty_conv(int n, const struct pam_message **msg,
     struct pam_response **resp, void *data)
 {
         char input[PAM_MAX_MSG_SIZE];
@@ -619,7 +601,7 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
 
         *resp = NULL;
 
-        if (n <= 0 || n > PAM_MAX_NUM_MSG)
+        if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO))
                 return (PAM_CONV_ERR);
 
         if ((reply = malloc(n * sizeof(*reply))) == NULL)
@@ -661,6 +643,8 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
         return (PAM_CONV_ERR);
 }
 
+static struct pam_conv tty_conv = { pam_tty_conv, NULL };
+
 /*
  * XXX this should be done in the authentication phase, but ssh1 doesn't
  * support that
@@ -668,15 +652,10 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
 void
 do_pam_chauthtok(void)
 {
-        struct pam_conv pam_conv;
-
-        pam_conv.conv = pam_chauthtok_conv;
-        pam_conv.appdata_ptr = NULL;
-
         if (use_privsep)
                 fatal("Password expired (unable to change with privsep)");
         sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-            (const void *)&pam_conv);
+            (const void *)&tty_conv);
         if (sshpam_err != PAM_SUCCESS)
                 fatal("PAM: failed to set PAM_CONV: %s",
                     pam_strerror(sshpam_handle, sshpam_err));
@@ -687,6 +666,67 @@ do_pam_chauthtok(void)
                     pam_strerror(sshpam_handle, sshpam_err));
 }
 
+static int
+pam_store_conv(int n, const struct pam_message **msg,
+    struct pam_response **resp, void *data)
+{
+        struct pam_response *reply;
+        int i;
+        size_t len;
+
+        debug3("PAM: %s called with %d messages", __func__, n);
+        *resp = NULL;
+
+        if (n <= 0 || n > PAM_MAX_NUM_MSG)
+                return (PAM_CONV_ERR);
+
+        if ((reply = malloc(n * sizeof(*reply))) == NULL)
+                return (PAM_CONV_ERR);
+        memset(reply, 0, n * sizeof(*reply));
+
+        for (i = 0; i < n; ++i) {
+                switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
+                case PAM_ERROR_MSG:
+                case PAM_TEXT_INFO:
+                        len = strlen(PAM_MSG_MEMBER(msg, i, msg));
+                        buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len);
+                        buffer_append(&loginmsg, "\n", 1 );
+                        reply[i].resp_retcode = PAM_SUCCESS;
+                        break;
+                default:
+                        goto fail;
+                }
+        }
+        *resp = reply;
+        return (PAM_SUCCESS);
+
+ fail:
+        for(i = 0; i < n; i++) {
+                if (reply[i].resp != NULL)
+                        xfree(reply[i].resp);
+        }
+        xfree(reply);
+        return (PAM_CONV_ERR);
+}
+
+static struct pam_conv store_conv = { pam_store_conv, NULL };
+
+void
+do_pam_session(void)
+{
+        debug3("PAM: opening session");
+        sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 
+            (const void *)&store_conv);
+        if (sshpam_err != PAM_SUCCESS)
+                fatal("PAM: failed to set PAM_CONV: %s",
+                    pam_strerror(sshpam_handle, sshpam_err));
+        sshpam_err = pam_open_session(sshpam_handle, 0);
+        if (sshpam_err != PAM_SUCCESS)
+                fatal("PAM: pam_open_session(): %s",
+                    pam_strerror(sshpam_handle, sshpam_err));
+        sshpam_session_open = 1;
+}
+
 /* 
  * Set a PAM environment string. We need to do this so that the session
  * modules can handle things like Kerberos/GSI credentials that appear
diff --git a/debian/changelog b/debian/changelog
index f32d19477..e3f8de691 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,11 @@ openssh (1:3.7.1p2-1) UNRELEASED; urgency=low
   * New upstream release.
   * Remove -fno-builtin-log and -DHAVE_MMAP_ANON_SHARED compiler options,
     which are no longer necessary.
+  * Darren Tucker:
+    - Supply newlines in chauthtok PAM conversation function and in
+      accumulated PAM_TEXT_INFO and PAM_ERROR_MSG messages.
+    - Store output from pam_session and pam_setcred for display after login,
+      to fix problems with missing output from PAM session modules.
 
  -- Colin Watson <cjwatson@debian.org>  Tue, 23 Sep 2003 19:22:38 +0100