fix duplicate PAM msgs, missing loginmsg reset #522
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
without this change in mm_answer_pam_account all messages added in auth-pam.c sshpam_query(...) case PAM_SUCCESS end up sent here, then are still sitting in the loginmsg buffer and printed a second time in session.c do_login(...)
hellermf
force-pushed
the
fix/duplicate-PAM-msg-printing
branch
from
c10adb2
to
2f55f92
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Without this change in mm_answer_pam_account all messages added in auth-pam.c sshpam_query(...)
case PAM_SUCCESSend up sent here, then are still sitting in the loginmsg buffer and printed a second time in session.c do_login(...)I initially encountered this problem using
pam_duo.so(described by some other user in the link below) however it is not specific to that PAM module, I also get messages printed twice when pam_echo.so, pam_debug.so, and others are included in the auth PAM chain used by sshd.https://community.cisco.com/t5/protecting-applications/duplicate-success-logging-you-in-after-a-successful-login/td-p/4879911
Without this code change, given the logic inside do_login(...) it is possible to work-around the problem on per-user basis with
touch ~/.hushloginbut that also has the side-effect of disabling printing of the MOTD by sshd if that is configured ...and it is per-user not system-wide.I gave some thought to whether there is any circumstance where the behavior of the original code is desired but thus far I cannot imagine one, although I am not deeply familiar with OpenSSH codebase.