Subject: Re: PAM vulnerability in portable OpenSSH
To: Damien Miller <>
From: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <>
List: current-users
Date: 10/01/2003 10:04:46
Damien Miller <> writes:
> The PAM spec is silent on the meanings of the arguments to the
> conversation function (a really sad state of affairs for a security
> technology).

XSSO page 89: "The parameter msg is a pointer to an array of length
num_msg of the pam_message structure".

>  > I have the source code in front of me.
> Which source code? The Sun sample pam module, which dodges the issue
> by only generating a single prompt?

The Solaris libpam source code.

Dag-Erling Sm=F8rgrav -