Rich Bishop
2003-Nov-25 15:55 UTC
Strange behaviour w/ Solaris9 + pam_ldap + openssh 3.7.1p2
Hello, I have a Solaris 9 system which is using Sun's pam_ldap to access user & group information in a Netscape 4.16DS. This was working fine until I upgraded ssh on the box. However, now I'm using 3.7.1p2 with pam support I have the following problem: If a user (local or ldap) enters the correct password everything works fine. Entering a wrong password results in the sshd process becoming unresponsive, until it eventually times out as set by LoginGraceTime in sshd_config. Normally, sshd should prompt for a password a number of times before closing the connection. Running sshd in debug mode under truss shows it going into a sleep state. I've done some searching on this - I found http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106743975716923&w=2 on the sshd-devel list but there are no follow ups as yet. I've been in touch with the original poster, but he hasn't resolved the problem. I'd be happy to provide any debugging information that would be useful in diagnosing the problem. Any assistance would be greatly appreciated. Thanks, Rich
Darren Tucker
2003-Nov-26 06:58 UTC
Strange behaviour w/ Solaris9 + pam_ldap + openssh 3.7.1p2
Rich Bishop wrote:> > I have a Solaris 9 system which is using Sun's pam_ldap to access user & > group information in a Netscape 4.16DS. This was working fine until I > upgraded ssh on the box. However, now I'm using 3.7.1p2 with pam support > I have the following problem: > > If a user (local or ldap) enters the correct password everything works > fine. Entering a wrong password results in the sshd process becoming > unresponsive, until it eventually times out as set by LoginGraceTime in > sshd_config. Normally, sshd should prompt for a password a number of > times before closing the connection. Running sshd in debug mode under > truss shows it going into a sleep state. > > I've done some searching on this - I found > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106743975716923&w=2 > on the sshd-devel list but there are no follow ups as yet. I've been in > touch with the original poster, but he hasn't resolved the problem. I'd > be happy to provide any debugging information that would be useful in > diagnosing the problem.It sounds like the PAM authentication thread is crashing (or possibly deadlocking) for some reason. If it's crashing, you can provide some useful diagnostics thusly: 1) Check if sshd left a core in / 1a) otherwise, turn on core dump saving with coreadm (sorry, can't provide more detail at the moment). 1b) run sshd until the problem occurs. 2) If ssh produces a core, feed it to gdb and provide a backtrace. In the build directory, run gdb ./sshd /path/to/core and at the gdb prompt, type "bt". Save the core dump and copy of sshd from the build dir (it has the debugging symbols) in case more info is required. You could also try a current snapshot as there have been several PAM-related fixes since the 3.7.1p2 release. Also, possibly related: http://bugzilla.mindrot.org/show_bug.cgi?id=740 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.