diff -r 3fd0658e8699 -r ece68a956e2f components/openssh/patches/042-pam_setcred_converse.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/042-pam_setcred_converse.patch	Wed Mar 16 02:37:08 2016 -0700
@@ -0,0 +1,41 @@
+#
+# Allow PAM conversation for pam_setcred for keyboard-interactive auth
+#
+# Currently OpenSSH runs pam_setcred with 'fake' conversation function
+# sshpam_store_conv. If some PAM module actually tries to converse for
+# pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR.
+#
+# This patch moves calling pam_setcred to the end of actual PAM
+# authentication, where there still is a real conversation function
+# available. If pam_setcred was already called, doesn't call it the
+# second time in do_pam_setcred.
+#
+# Patch origin: in-house
+#
+# Reported upstream:
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2549
+#
+
+diff -pur old/auth-pam.c new/auth-pam.c
+--- old/auth-pam.c
++++ new/auth-pam.c
+@@ -399,6 +399,10 @@ sshpam_thread(struct pam_ctxt *ctxt)
+ 				goto auth_fail;
+ 			sshpam_password_change_required(0);
+ 		}
++		sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
++		if (sshpam_err != PAM_SUCCESS)
++			goto auth_fail;
++		
+ 	}
+ 
+ 	ctxt->pam_done = 1;
+@@ -968,6 +972,8 @@ do_pam_set_tty(const char *tty)
+ void
+ do_pam_setcred(int init)
+ {
++	if (compat20 && (sshpam_authenticated == 1))
++		return;	/* pam_setcred already done */
+ 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
+ 	    (const void *)&store_conv);
+ 	if (sshpam_err != PAM_SUCCESS)