#
# Allow PAM conversation for pam_setcred for keyboard-interactive auth
#
# Currently OpenSSH runs pam_setcred with 'fake' conversation function
# sshpam_store_conv. If some PAM module actually tries to converse for
# pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR.
#
# This patch moves calling pam_setcred to the end of actual PAM
# authentication, where there still is a real conversation function
# available. If pam_setcred was already called, doesn't call it the
# second time in do_pam_setcred.
#
# Patch origin: in-house
#
# Reported upstream:
#
diff -pur old/auth-pam.c new/auth-pam.c
--- old/auth-pam.c
+++ new/auth-pam.c
@@ -399,6 +399,10 @@ sshpam_thread(struct pam_ctxt *ctxt)
goto auth_fail;
sshpam_password_change_required(0);
}
+ sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
+ if (sshpam_err != PAM_SUCCESS)
+ goto auth_fail;
+
}
ctxt->pam_done = 1;
@@ -968,6 +972,8 @@ do_pam_set_tty(const char *tty)
void
do_pam_setcred(int init)
{
+ if (compat20 && (sshpam_authenticated == 1))
+ return; /* pam_setcred already done */
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&store_conv);
if (sshpam_err != PAM_SUCCESS)