[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#236814: Debian bug #236814: sshd+PAM: MOTD isn't printed when privsep=no

Hi.
If sshd is configured to use PAM and UsePrivilegeSeparation=no or you are logging is as root, any messages returned by PAM session modules are not displayed to the user. (Even when the config file has privsep=yes, logging in as root disables privsep anyway since there's no point, so it behaves the same way as privsep=no).
I think I've figured out why: when privsep=no, do_pam_session is called *after* display_loginmsg, so the PAM messages are stored too late to be displayed to the user.
One option would be to move display_loginmsg later, but that would change the message order on other platforms, so the attached patch just adds another call after do_setusercontext (the buffer is cleared after each, so there won't be duplicate messages).
It would also be possible to use pam_tty_conv for privsep=no if we have a tty. This would allow a session module that needs to interact with the user to work too, but it would require more surgery to do_setusercontext and do_pam_session (we can do this too if there's a need).
The patch is against -current but it looks like it will apply cleanly to 3.8.1p1 too. 

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


Index: session.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v
retrieving revision 1.282
diff -u -p -r1.282 session.c
--- session.c	22 Jun 2004 02:57:09 -0000	1.282
+++ session.c	29 Jun 2004 12:11:59 -0000
@@ -1431,6 +1431,13 @@ do_child(Session *s, const char *command
 #else /* HAVE_OSF_SIA */
 		do_nologin(pw);
 		do_setusercontext(pw);
+		/*
+		 * PAM session modules in do_setusercontext may have
+		 * generated messages, so if this in an interactive
+		 * login then display them too.
+		 */
+		if (command == NULL)
+			display_loginmsg();
 #endif /* HAVE_OSF_SIA */
 	}
Reply to: