|
1 # |
|
2 # Allow PAM conversation for pam_setcred for keyboard-interactive auth |
|
3 # |
|
4 # Currently OpenSSH runs pam_setcred with 'fake' conversation function |
|
5 # sshpam_store_conv. If some PAM module actually tries to converse for |
|
6 # pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR. |
|
7 # |
|
8 # This patch moves calling pam_setcred to the end of actual PAM |
|
9 # authentication, where there still is a real conversation function |
|
10 # available. If pam_setcred was already called, doesn't call it the |
|
11 # second time in do_pam_setcred. |
|
12 # |
|
13 # Patch origin: in-house |
|
14 # |
|
15 # Reported upstream: |
|
16 # https://bugzilla.mindrot.org/show_bug.cgi?id=2549 |
|
17 # |
|
18 |
|
19 diff -pur old/auth-pam.c new/auth-pam.c |
|
20 --- old/auth-pam.c |
|
21 +++ new/auth-pam.c |
|
22 @@ -399,6 +399,10 @@ sshpam_thread(struct pam_ctxt *ctxt) |
|
23 goto auth_fail; |
|
24 sshpam_password_change_required(0); |
|
25 } |
|
26 + sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED); |
|
27 + if (sshpam_err != PAM_SUCCESS) |
|
28 + goto auth_fail; |
|
29 + |
|
30 } |
|
31 |
|
32 ctxt->pam_done = 1; |
|
33 @@ -968,6 +972,8 @@ do_pam_set_tty(const char *tty) |
|
34 void |
|
35 do_pam_setcred(int init) |
|
36 { |
|
37 + if (compat20 && (sshpam_authenticated == 1)) |
|
38 + return; /* pam_setcred already done */ |
|
39 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
|
40 (const void *)&store_conv); |
|
41 if (sshpam_err != PAM_SUCCESS) |