1 #

     2 # Allow PAM conversation for pam_setcred for keyboard-interactive auth

     3 #

     4 # Currently OpenSSH runs pam_setcred with 'fake' conversation function

     5 # sshpam_store_conv. If some PAM module actually tries to converse for

     6 # pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR.

     7 #

     8 # This patch moves calling pam_setcred to the end of actual PAM

     9 # authentication, where there still is a real conversation function

    10 # available. If pam_setcred was already called, doesn't call it the

    11 # second time in do_pam_setcred.

    12 #

    13 # Patch origin: in-house

    14 #

    15 # Reported upstream:

    16 # https://bugzilla.mindrot.org/show_bug.cgi?id=2549

    17 #

    18 

    19 diff -pur old/auth-pam.c new/auth-pam.c

    20 --- old/auth-pam.c

    21 +++ new/auth-pam.c

    22 @@ -399,6 +399,10 @@ sshpam_thread(struct pam_ctxt *ctxt)

    23  				goto auth_fail;

    24  			sshpam_password_change_required(0);

    25  		}

    26 +		sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);

    27 +		if (sshpam_err != PAM_SUCCESS)

    28 +			goto auth_fail;

    29 +		

    30  	}

    31  

    32  	ctxt->pam_done = 1;

    33 @@ -968,6 +972,8 @@ do_pam_set_tty(const char *tty)

    34  void

    35  do_pam_setcred(int init)

    36  {

    37 +	if (compat20 && (sshpam_authenticated == 1))

    38 +		return;	/* pam_setcred already done */

    39  	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,

    40  	    (const void *)&store_conv);

    41  	if (sshpam_err != PAM_SUCCESS)