>Okay, this appears to be a problem with pam_unix.so - the code in >pam_sm_open_session is written with the assumption that the tty name is of >the form "/dev/" + something else on the end. I'm not sure why thepam_sm_open_session in pam_unix on Solaris now does this: /* report error if ttyn or rhost are not set */ if ((ttyn == NULL) || (rhost == NULL)) return (PAM_SESSION_ERR); /* sanity check on size of tty line */ if (strlen(ttyn) < sizeof("/dev/")) return (PAM_SESSION_ERR); later on it uses everything after the /dev/ as the short name tty to write to lastlog. This was part of the fix for 4250887. The fix will appear in patch 111659-03 (sparc) and 111660-03 (intel) when that patch is released. -- Darren J Moffat
On Wed, 24 Oct 2001, Darren Moffat wrote:> > >Okay, this appears to be a problem with pam_unix.so - the code in > >pam_sm_open_session is written with the assumption that the tty name is of > >the form "/dev/" + something else on the end. I'm not sure why the > > pam_sm_open_session in pam_unix on Solaris now does this: > > /* report error if ttyn or rhost are not set */ > if ((ttyn == NULL) || (rhost == NULL)) > return (PAM_SESSION_ERR); > > /* sanity check on size of tty line */ > if (strlen(ttyn) < sizeof("/dev/")) > return (PAM_SESSION_ERR); > > later on it uses everything after the /dev/ as the short name tty to > write to lastlog. > > This was part of the fix for 4250887. The fix will appear in patch > 111659-03 (sparc) and 111660-03 (intel) when that patch is released.IMO until then we should enable the kludge, but change it as follows. Kevin, can you check whether the kludge works with this patch on HP/UX? (is the kludge even needed there?) Index: auth-pam.c ==================================================================RCS file: /var/cvs/openssh/auth-pam.c,v retrieving revision 1.37 diff -u -r1.37 auth-pam.c --- auth-pam.c 2001/04/23 18:38:37 1.37 +++ auth-pam.c 2001/10/25 00:43:55 @@ -374,7 +374,7 @@ * not even need one (for tty-less connections) * Kludge: Set a fake PAM_TTY */ - pam_retval = pam_set_item(__pamh, PAM_TTY, "ssh"); + pam_retval = pam_set_item(__pamh, PAM_TTY, "NODEVssh"); if (pam_retval != PAM_SUCCESS) fatal("PAM set tty failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)
On Wed, 24 Oct 2001, Darren Moffat wrote:> Date: Wed, 24 Oct 2001 17:39:19 -0700 (PDT) > From: Darren Moffat <Darren.Moffat at eng.sun.com> > To: openssh-unix-dev at mindrot.org > Subject: Re: Regarding PAM_TTY_KLUDGE and Solaris 8... > > > >Okay, this appears to be a problem with pam_unix.so - the code in > >pam_sm_open_session is written with the assumption that the tty name is of > >the form "/dev/" + something else on the end. I'm not sure why the > > pam_sm_open_session in pam_unix on Solaris now does this: > > /* report error if ttyn or rhost are not set */ > if ((ttyn == NULL) || (rhost == NULL)) > return (PAM_SESSION_ERR); > > /* sanity check on size of tty line */ > if (strlen(ttyn) < sizeof("/dev/")) > return (PAM_SESSION_ERR); > > later on it uses everything after the /dev/ as the short name tty to > write to lastlog. > > This was part of the fix for 4250887. The fix will appear in patch > 111659-03 (sparc) and 111660-03 (intel) when that patch is released.Hi Darren, Before the 111659-03 patch comes out, this section of code doesn't have any of the error checking? What is the target date for this patch release? Still I think, in this case, calling pam_open_session() for the non-interactive case is "wrong" and we should avoid it (especially if we have to send a bogus tty name just to get it to keep from crashing). The strange part about the crashing is that PAM_TTY is not set... so I'm not exactly sure way it crashes because pam_sm_open_session() will return an error if PAM_TTY is not set. I'll investigate further... Thanks, Ed Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key
>Before the 111659-03 patch comes out, this section of code doesn't have >any of the error checking?Correct, the code neither checks to see if PAM_TTY is set nor does it check it is long enough.> What is the target date for this patch release?I don't know, contact Sun Enterprise Services. It depends when the customer who requested the patch verifies that it fixes there problem, and when the patch completes all the regression testing cycles. -- Darren J Moffat
>Does this make sense?All makes sense to me. Solaris 9 is already fixed, the way we do devlopment in Sun ensures that we fix the problem in the yet to be released system before we fix it as a patch other releases. For some types of fix not only does it need to be fixed in the future release first but that the fix must sit in the future release for a couple of weeks to ensure it is the right thing to do. We have safety checks in place to prevent fixing bugs in older releases if it hasn't already been fixed in the future release or marked as not applicable because some other change made it irrelevant.>Darren... is this true - if PAM_TTY is not set and the user needs to >change his password, will pam_sm_acct_mgmt() in pam_unix.so return an >error that sshd can detect and process?Nope, and I don't think it should either. The pam modules do not assume that a tty is present to do the prompting because your converstation function might actually be a GUI. It is up to the calling application and its' conversation function to deal with getting the information from the user. If pam_acct_mgmt returns PAM_NEW_AUTHTOK_REQD and sshd isn't able to prompt the user for one (because it has no tty) then it has to make its own choice of what to do, it can continue and ignore it or it can display a warning or it can disconnect - it is upto sshd to choose what to do (it could use SSH_ASKPASS if it is available).>back and forth enough to confuse everybody?). Maybe there could be a >PAM_OPEN_SESSION_BROKEN flag in config.h, which is defined by default, and >we could document which patch needs to be applied on Solaris in order to >avoid the problem and allow pam_open_session() to be called (with NO >PAM_TTY set).Please do not use that as the option name, instead say something that says what you are acutally doing - not caling pam_open_session when sshd doesn't have a tty. pam_open_session on Solaris is not broken, it is just that without the patch the pam_sm_open_session in pam_unix assumes that it is only ever called with a valid PAM_TTY - that was a bug. -- Darren J Moffat
>something like SSH_ASKPASS (or PAM_ASK_ITEM :)What is PAM_ASK_ITEM ? You can't just add items to the PAM item namespace this is an Open group administered standard. -- Darren J Moffat
>Mind you, one could use a new PAM item named PAM_ASK_ITEM instead of an >environment variable for configuring the PAM equivalent of SSH_ASKPASS. >But I'm not asking for that either.We already have that it is the conversation function. -- Darren J Moffat