PAM support, the FreeBSD way.

Sponsored by:	DARPA, NAI Labs

6 files changed, 588 insertions, 10 deletions

diff --git a/crypto/openssh/auth2-chall.c b/crypto/openssh/auth2-chall.c
index f35bfb2..4d6fcc3 100644
--- a/crypto/openssh/auth2-chall.c
+++ b/crypto/openssh/auth2-chall.c
@@ -24,6 +24,7 @@
  */
 #include "includes.h"
 RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$FreeBSD$");
 
 #include "ssh2.h"
 #include "auth.h"
@@ -41,6 +42,9 @@ static void input_userauth_info_response(int, u_int32_t, void *);
 #ifdef BSD_AUTH
 extern KbdintDevice bsdauth_device;
 #else
+#ifdef USE_PAM
+extern KbdintDevice pam_device;
+#endif
 #ifdef SKEY
 extern KbdintDevice skey_device;
 #endif
@@ -50,6 +54,9 @@ KbdintDevice *devices[] = {
 #ifdef BSD_AUTH
 	&bsdauth_device,
 #else
+#ifdef USE_PAM
+	&pam_device,
+#endif
 #ifdef SKEY
 	&skey_device,
 #endif
@@ -317,15 +324,22 @@ privsep_challenge_enable(void)
 #ifdef BSD_AUTH
 	extern KbdintDevice mm_bsdauth_device;
 #endif
+#ifdef USE_PAM
+	extern KbdintDevice mm_pam_device;
+#endif
 #ifdef SKEY
 	extern KbdintDevice mm_skey_device;
 #endif
-	/* As long as SSHv1 has devices[0] hard coded this is fine */
+	int n = 0;
+
 #ifdef BSD_AUTH
-	devices[0] = &mm_bsdauth_device;
+	devices[n++] = &mm_bsdauth_device;
 #else
+#ifdef USE_PAM
+	devices[n++] = &mm_pam_device;
+#endif
 #ifdef SKEY
-	devices[0] = &mm_skey_device;
+	devices[n++] = &mm_skey_device;
 #endif
 #endif
 }
diff --git a/crypto/openssh/auth2-pam-freebsd.c b/crypto/openssh/auth2-pam-freebsd.c
new file mode 100644
index 0000000..b011913
--- /dev/null
+++ b/crypto/openssh/auth2-pam-freebsd.c
@@ -0,0 +1,372 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$FreeBSD$");
+
+#ifdef USE_PAM
+#include <security/pam_appl.h>
+
+#include "auth.h"
+#include "log.h"
+#include "monitor_wrap.h"
+#include "packet.h"
+#include "ssh2.h"
+#include "xmalloc.h"
+
+struct pam_ctxt {
+	char		*pam_user;
+	pid_t		 pam_pid;
+	int		 pam_sock;
+	int		 pam_done;
+};
+
+static void pam_free_ctx(void *);
+
+/*
+ * Send message to parent or child.
+ */
+static int
+pam_send(struct pam_ctxt *ctxt, char *fmt, ...)
+{
+	va_list ap;
+	char *mstr;
+	size_t len;
+	int r;
+
+	va_start(ap, fmt);
+	len = vasprintf(&mstr, fmt, ap);
+	va_end(ap);
+	if (mstr == NULL)
+		exit(1);
+	if (ctxt->pam_pid != 0)
+		debug2("to child: %s", mstr);
+	r = send(ctxt->pam_sock, mstr, len + 1, MSG_EOR);
+	free(mstr);
+	return (r);
+}
+
+/*
+ * Peek at first byte of next message.
+ */
+static int
+pam_peek(struct pam_ctxt *ctxt)
+{
+	char ch;
+
+	if (recv(ctxt->pam_sock, &ch, 1, MSG_PEEK) < 1)
+		return (-1);
+	return (ch);
+}
+
+/*
+ * Receive a message from parent or child.
+ */
+static char *
+pam_receive(struct pam_ctxt *ctxt)
+{
+	char *buf;
+	size_t len;
+	ssize_t rlen;
+
+	len = 64;
+	buf = NULL;
+	do {
+		len *= 2;
+		buf = xrealloc(buf, len);
+		rlen = recv(ctxt->pam_sock, buf, len, MSG_PEEK);
+		if (rlen < 1) {
+			xfree(buf);
+			return (NULL);
+		}
+	} while (rlen == len);
+	if (recv(ctxt->pam_sock, buf, len, 0) != rlen) {
+		xfree(buf);
+		return (NULL);
+	}
+	if (ctxt->pam_pid != 0)
+		debug2("from child: %s", buf);
+	return (buf);
+}
+
+/*
+ * Conversation function for child process.
+ */
+static int
+pam_child_conv(int n,
+	 const struct pam_message **msg,
+	 struct pam_response **resp,
+	 void *data)
+{
+	struct pam_ctxt *ctxt;
+	int i;
+
+	ctxt = data;
+	if (n <= 0 || n > PAM_MAX_NUM_MSG)
+		return (PAM_CONV_ERR);
+	if ((*resp = calloc(n, sizeof **resp)) == NULL)
+		return (PAM_BUF_ERR);
+	for (i = 0; i < n; ++i) {
+		resp[i]->resp_retcode = 0;
+		resp[i]->resp = NULL;
+		switch (msg[i]->msg_style) {
+		case PAM_PROMPT_ECHO_OFF:
+			pam_send(ctxt, "p%s", msg[i]->msg);
+			resp[i]->resp = pam_receive(ctxt);
+			break;
+		case PAM_PROMPT_ECHO_ON:
+			pam_send(ctxt, "P%s", msg[i]->msg);
+			resp[i]->resp = pam_receive(ctxt);
+			break;
+		case PAM_ERROR_MSG:
+			pam_send(ctxt, "e%s", msg[i]->msg);
+			break;
+		case PAM_TEXT_INFO:
+			pam_send(ctxt, "i%s", msg[i]->msg);
+			break;
+		default:
+			goto fail;
+		}
+	}
+	return (PAM_SUCCESS);
+ fail:
+	while (i)
+		free(resp[--i]);
+	free(*resp);
+	*resp = NULL;
+	return (PAM_CONV_ERR);
+}
+
+/*
+ * Child process.
+ */
+static void *
+pam_child(struct pam_ctxt *ctxt)
+{
+	struct pam_conv pam_conv = { pam_child_conv, ctxt };
+	pam_handle_t *pamh;
+	int pam_err;
+
+	pam_err = pam_start("sshd", ctxt->pam_user, &pam_conv, &pamh);
+	if (pam_err != PAM_SUCCESS)
+		goto auth_fail;
+	pam_err = pam_authenticate(pamh, 0);
+	if (pam_err != PAM_SUCCESS)
+		goto auth_fail;
+	pam_err = pam_acct_mgmt(pamh, 0);
+	if (pam_err != PAM_SUCCESS)
+		goto auth_fail;
+	pam_send(ctxt, "=OK");
+	pam_end(pamh, pam_err);
+	exit(0);
+ auth_fail:
+	pam_send(ctxt, "!%s", pam_strerror(pamh, pam_err));
+	pam_end(pamh, pam_err);
+	exit(0);
+}
+
+static void *
+pam_init_ctx(Authctxt *authctxt)
+{
+	struct pam_ctxt *ctxt;
+	int socks[2];
+	int i;
+
+	ctxt = xmalloc(sizeof *ctxt);
+	ctxt->pam_user = xstrdup(authctxt->user);
+	ctxt->pam_done = 0;
+	if (socketpair(AF_UNIX, SOCK_DGRAM, PF_UNSPEC, socks) == -1) {
+		error("%s: failed create sockets: %s",
+		    __func__, strerror(errno));
+		xfree(ctxt);
+		return (NULL);
+	}
+	if ((ctxt->pam_pid = fork()) == -1) {
+		error("%s: failed to fork auth-pam child: %s",
+		    __func__, strerror(errno));
+		close(socks[0]);
+		close(socks[1]);
+		xfree(ctxt);
+		return (NULL);
+	}
+	if (ctxt->pam_pid == 0) {
+		/* close everything except our end of the pipe */
+		ctxt->pam_sock = socks[1];
+		for (i = 0; i < getdtablesize(); ++i)
+			if (i != ctxt->pam_sock)
+				close(i);
+		pam_child(ctxt);
+		/* not reached */
+		exit(1);
+	}
+	ctxt->pam_sock = socks[0];
+	close(socks[1]);
+	return (ctxt);
+}
+
+static int
+pam_query(void *ctx, char **name, char **info,
+    u_int *num, char ***prompts, u_int **echo_on)
+{
+	struct pam_ctxt *ctxt = ctx;
+	size_t plen;
+	char *msg;
+
+	*name = xstrdup("");
+	*info = xstrdup("");
+	*prompts = xmalloc(sizeof(char *));
+	**prompts = NULL;
+	plen = 0;
+	*echo_on = xmalloc(sizeof(u_int));
+	while ((msg = pam_receive(ctxt)) != NULL) {
+		switch (*msg) {
+		case 'P':
+		case 'p':
+			*num = 1;
+			**prompts = xrealloc(**prompts, plen + strlen(msg));
+			plen += sprintf(**prompts + plen, "%s", msg + 1);
+			**echo_on = (*msg == 'P');
+			xfree(msg);
+			return (0);
+		case 'e':
+		case 'i':
+			/* accumulate messages */
+			**prompts = xrealloc(**prompts, plen + strlen(msg));
+			plen += sprintf(**prompts + plen, "%s", msg + 1);
+			break;
+		case '=':
+		case '!':
+			if (**prompts != NULL) {
+				/* drain any accumulated messages */
+#if 0 /* not compatible with privsep */
+				packet_start(SSH2_MSG_USERAUTH_BANNER);
+				packet_put_cstring(**prompts);
+				packet_put_cstring("");
+				packet_send();
+				packet_write_wait();
+#endif
+				xfree(**prompts);
+				**prompts = NULL;
+			}
+			if (*msg == '=') {
+				*num = 0;
+				**echo_on = 0;
+				ctxt->pam_done = 1;
+				xfree(msg);
+				return (0);
+			}
+			error("%s", msg + 1);
+		default:
+			*num = 0;
+			**echo_on = 0;
+			xfree(msg);
+			ctxt->pam_done = -1;
+			return (-1);
+		}
+		xfree(msg);
+	}
+	return (-1);
+}
+
+static int
+pam_respond(void *ctx, u_int num, char **resp)
+{
+	struct pam_ctxt *ctxt = ctx;
+	char *msg;
+
+	debug2(__func__);
+	switch (ctxt->pam_done) {
+	case 1:
+		return (0);	
+	case 0:
+		break;
+	default:
+		return (-1);
+	}
+	if (num != 1) {
+		error("expected one response, got %u", num);
+		return (-1);
+	}
+	pam_send(ctxt, "%s", *resp);
+	switch (pam_peek(ctxt)) {
+	case 'P':
+	case 'p':
+	case 'e':
+	case 'i':
+		return (1);
+	case '=':
+		msg = pam_receive(ctxt);
+		xfree(msg);
+		ctxt->pam_done = 1;
+		return (0);
+	default:
+		msg = pam_receive(ctxt);
+		if (*msg == '!')
+			error("%s", msg + 1);
+		xfree(msg);
+		ctxt->pam_done = -1;
+		return (-1);
+	}
+}
+
+static void
+pam_free_ctx(void *ctxtp)
+{
+	struct pam_ctxt *ctxt = ctxtp;
+	int status;
+
+	close(ctxt->pam_sock);
+	kill(ctxt->pam_pid, SIGHUP);
+	waitpid(ctxt->pam_pid, &status, 0);
+	xfree(ctxt->pam_user);
+	xfree(ctxt);
+}
+
+KbdintDevice pam_device = {
+	"pam",
+	pam_init_ctx,
+	pam_query,
+	pam_respond,
+	pam_free_ctx
+};
+
+KbdintDevice mm_pam_device = {
+	"pam",
+	mm_pam_init_ctx,
+	mm_pam_query,
+	mm_pam_respond,
+	mm_pam_free_ctx
+};
+
+#endif /* USE_PAM */
diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
index 1770e67..885a1e3 100644
--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@@ -127,6 +127,10 @@ int mm_answer_sessid(int, Buffer *);
 
 #ifdef USE_PAM
 int mm_answer_pam_start(int, Buffer *);
+int mm_answer_pam_init_ctx(int, Buffer *);
+int mm_answer_pam_query(int, Buffer *);
+int mm_answer_pam_respond(int, Buffer *);
+int mm_answer_pam_free_ctx(int, Buffer *);
 #endif
 
 static Authctxt *authctxt;
@@ -165,6 +169,10 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -199,6 +207,10 @@ struct mon_table mon_dispatch_proto15[] = {
     {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response},
 #ifdef USE_PAM
     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -208,9 +220,6 @@ struct mon_table mon_dispatch_proto15[] = {
     {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
     {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
 #endif
-#ifdef USE_PAM
-    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
-#endif
     {0, 0, NULL}
 };
 
@@ -284,10 +293,6 @@ monitor_child_preauth(struct monitor *pmonitor)
 			if (authctxt->pw->pw_uid == 0 &&
 			    !auth_root_allowed(auth_method))
 				authenticated = 0;
-#ifdef USE_PAM
-			if (!do_pam_account(authctxt->pw->pw_name, NULL))
-				authenticated = 0;
-#endif
 		}
 
 		if (ent->flags & MON_AUTHDECIDE) {
@@ -745,6 +750,100 @@ mm_answer_pam_start(int socket, Buffer *m)
 
 	return (0);
 }
+
+static void *pam_ctxt, *pam_authok;
+extern KbdintDevice pam_device;
+
+int
+mm_answer_pam_init_ctx(int socket, Buffer *m)
+{
+
+	debug3("%s", __func__);
+	authctxt->user = buffer_get_string(m, NULL);
+	pam_ctxt = (pam_device.init_ctx)(authctxt);
+	pam_authok = NULL;
+	buffer_clear(m);
+	if (pam_ctxt != NULL) {
+		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
+		buffer_put_int(m, 1);
+	} else {
+		buffer_put_int(m, 0);
+	}
+	mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m);
+	return (0);
+}
+
+int
+mm_answer_pam_query(int socket, Buffer *m)
+{
+	char *name, *info, **prompts;
+	u_int num, *echo_on;
+	int i, ret;
+
+	debug3("%s", __func__);
+	pam_authok = NULL;
+	ret = (pam_device.query)(pam_ctxt, &name, &info, &num, &prompts, &echo_on);
+	if (num > 1 || name == NULL || info == NULL)
+		ret = -1;
+	buffer_put_int(m, ret);
+	buffer_put_cstring(m, name);
+	xfree(name);
+	buffer_put_cstring(m, info);
+	xfree(info);
+	buffer_put_int(m, num);
+	for (i = 0; i < num; ++i) {
+		buffer_put_cstring(m, prompts[i]);
+		xfree(prompts[i]);
+		buffer_put_int(m, echo_on[i]);
+	}
+	if (prompts != NULL)
+		xfree(prompts);
+	if (echo_on != NULL)
+		xfree(echo_on);
+	mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m);
+	return (0);
+}
+
+int
+mm_answer_pam_respond(int socket, Buffer *m)
+{
+	char **resp;
+	u_int num;
+	int i, ret;
+
+	debug3("%s", __func__);
+	pam_authok = NULL;
+	num = buffer_get_int(m);
+	if (num > 0) {
+		resp = xmalloc(num * sizeof(char *));
+		for (i = 0; i < num; ++i)
+			resp[i] = buffer_get_string(m, NULL);
+		ret = (pam_device.respond)(pam_ctxt, num, resp);
+		for (i = 0; i < num; ++i)
+			xfree(resp[i]);
+		xfree(resp);
+	} else {
+		ret = (pam_device.respond)(pam_ctxt, num, NULL);
+	}
+	buffer_clear(m);
+	buffer_put_int(m, ret);
+	mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m);
+	auth_method = "keyboard-interactive/pam";
+	if (ret == 0)
+		pam_authok = pam_ctxt;
+	return (ret);
+}
+
+int
+mm_answer_pam_free_ctx(int socket, Buffer *m)
+{
+
+	debug3("%s", __func__);
+	(pam_device.free_ctx)(pam_ctxt);
+	buffer_clear(m);
+	mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m);
+	return (pam_authok == pam_ctxt);
+}
 #endif
 
 static void
diff --git a/crypto/openssh/monitor.h b/crypto/openssh/monitor.h
index 69114b5..cf3b0bb 100644
--- a/crypto/openssh/monitor.h
+++ b/crypto/openssh/monitor.h
@@ -1,4 +1,5 @@
 /*	$OpenBSD: monitor.h,v 1.6 2002/06/11 05:46:20 mpech Exp $	*/
+/*	$FreeBSD$	*/
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -50,6 +51,10 @@ enum monitor_reqtype {
 	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
 	MONITOR_REQ_PAM_START,
+	MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
+	MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
+	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
+	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
 	MONITOR_REQ_TERM
 };
 
diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c
index 9b740ac..71ea233 100644
--- a/crypto/openssh/monitor_wrap.c
+++ b/crypto/openssh/monitor_wrap.c
@@ -26,6 +26,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: monitor_wrap.c,v 1.11 2002/06/19 18:01:00 markus Exp $");
+RCSID("$FreeBSD$");
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@@ -664,6 +665,88 @@ mm_start_pam(char *user)
 
 	buffer_free(&m);
 }
+
+void *
+mm_pam_init_ctx(Authctxt *authctxt)
+{
+	Buffer m;
+	int success;
+
+	debug3("%s", __func__);
+	buffer_init(&m);
+	buffer_put_cstring(&m, authctxt->user);
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
+	success = buffer_get_int(&m);
+	if (success == 0) {
+		debug3("%s: pam_init_ctx failed", __func__);
+		buffer_free(&m);
+		return (NULL);
+	}
+	buffer_free(&m);
+	return (authctxt);
+}
+
+int
+mm_pam_query(void *ctx, char **name, char **info,
+    u_int *num, char ***prompts, u_int **echo_on)
+{
+	Buffer m;
+	int i, ret;
+
+	debug3("%s", __func__);
+	buffer_init(&m);
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m);
+	debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__);
+	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m);
+	ret = buffer_get_int(&m);
+	debug3("%s: pam_query returned %d", __func__, ret);
+	*name = buffer_get_string(&m, NULL);
+	*info = buffer_get_string(&m, NULL);
+	*num = buffer_get_int(&m);
+	*prompts = xmalloc((*num + 1) * sizeof(char *));
+	*echo_on = xmalloc((*num + 1) * sizeof(u_int));
+	for (i = 0; i < *num; ++i) {
+		(*prompts)[i] = buffer_get_string(&m, NULL);
+		(*echo_on)[i] = buffer_get_int(&m);
+	}
+	buffer_free(&m);
+	return (ret);
+}
+
+int
+mm_pam_respond(void *ctx, u_int num, char **resp)
+{
+	Buffer m;
+	int i, ret;
+
+	debug3("%s", __func__);
+	buffer_init(&m);
+	buffer_put_int(&m, num);
+	for (i = 0; i < num; ++i)
+		buffer_put_cstring(&m, resp[i]);
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);
+	debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
+	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);
+	ret = buffer_get_int(&m);
+	debug3("%s: pam_respond returned %d", __func__, ret);
+	buffer_free(&m);
+	return (ret);
+}
+
+void
+mm_pam_free_ctx(void *ctxtp)
+{
+	Buffer m;
+
+	debug3("%s", __func__);
+	buffer_init(&m);
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m);
+	debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__);
+	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m);
+	buffer_free(&m);
+}
 #endif /* USE_PAM */
 
 /* Request process termination */
diff --git a/crypto/openssh/monitor_wrap.h b/crypto/openssh/monitor_wrap.h
index ce72124..0d96e9d 100644
--- a/crypto/openssh/monitor_wrap.h
+++ b/crypto/openssh/monitor_wrap.h
@@ -1,4 +1,5 @@
 /*	$OpenBSD: monitor_wrap.h,v 1.5 2002/05/12 23:53:45 djm Exp $	*/
+/*	$FreeBSD$	*/
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -57,6 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
 
 #ifdef USE_PAM
 void mm_start_pam(char *);
+void *mm_pam_init_ctx(struct Authctxt *);
+int mm_pam_query(void *, char **, char **, u_int *, char ***, u_int **);
+int mm_pam_respond(void *, u_int, char **);
+void mm_pam_free_ctx(void *);
 #endif
 
 void mm_terminate(void);