bugzilla-daemon at mindrot.org
2004-Apr-09 05:18 UTC
[Bug 839] Privilege Separation + PAM locks users out
http://bugzilla.mindrot.org/show_bug.cgi?id=839
Summary: Privilege Separation + PAM locks users out
Product: Portable OpenSSH
Version: 3.8p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P1
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: wgrim at siue.edu
I was having a problem all weekend where UsePrivilegeSeparation was on, and
users were being authenticated through PAM modules.
I would continuously get ssh_exchange_identification errors. Generally this is
a hosts.allow/.deny problem. However, after running into this problem 3 times,
I determined this was not the problem.
The problem has to do with something between sshd and PAM during privilege
separation. I was randomly getting several "sshd: <user> [pam]"
processes in my
"ps ax" list. When the maximum unauthenticated connetion limit was
reached, no
one could login.
Turning privilege separation off seems to remove the problem. It is also
important to make sure ssh* binaries are not setuid root in this case. Use
SELinux or similar if you feel you need more security.
However, I would like privilege separation fixed.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-09 05:27 UTC
[Bug 839] Privilege Separation + PAM locks users out
http://bugzilla.mindrot.org/show_bug.cgi?id=839 ------- Additional Comments From dtucker at zip.com.au 2004-04-09 15:27 ------- Created an attachment (id=600) --> (http://bugzilla.mindrot.org/attachment.cgi?id=600&action=view) Reset thread status Please try this patch (which has already been committed to -current, auth-pam.c rev 1.97) or try a snapshot. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-09 05:31 UTC
[Bug 839] Privilege Separation + PAM locks users out
http://bugzilla.mindrot.org/show_bug.cgi?id=839 ------- Additional Comments From dtucker at zip.com.au 2004-04-09 15:31 ------- BTW the only binary that should be setuid is ssh-keysign (and possibly ssh, but only if you use a server that requires connections from low-numbered ports, eg for RSARhosts authentication). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-03 01:05 UTC
[Bug 839] Privilege Separation + PAM locks users out
http://bugzilla.mindrot.org/show_bug.cgi?id=839 ------- Additional Comments From dtucker at zip.com.au 2004-05-03 11:05 ------- The patch on this bug is in 3.8.1p1, so I think this is fixed. Does the problem still occur with that version? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.