-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can anyone reproduce this on a Solaris 8 system with 4.2p1: openssh is configured to use PAM and sshd_config has "UsePam" set to "yes" pam.conf has something like this: other auth required pam_get_authtok other auth sufficient pam_krb5.so.1 use_first_pass other auth required pam_unix.so.1 use_first_pass Now, If I log in via ssh as a user who has a Kerberos principal, everything works just fine. If a local account is used, sshd segfaults. If I remove the pam_krb5.so.1 reference auth line, the local user can successfully authenticate. I'll gather more debugging info if this is not already a known problem. jd - -- John Devitofranceschi, E-Mail: jdvf at optonline.net Fax: +1 203 348 8219 PGP Fingerprint: 0D33 5A27 0810 9543 64FB DF4A 54CF 4B40 1335 4673 "What," asked Mr. Croup, "do you want?" "What," asked the marquis de Carabas, a little more rhetorically, "does anyone want?" "Dead things," suggested Mr. Vandemar. "Extra teeth." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFDOgHzVM9LQBM1RnMRAocHAJ9bNFMwRbJJPjGe8PBQxYMlalobwgCfQRpB JXO80EfQPfQ4ReJhhNKp9y4=BJLz -----END PGP SIGNATURE-----
John Devitofranceschi wrote:> Can anyone reproduce this on a Solaris 8 system with 4.2p1: > > openssh is configured to use PAM and sshd_config has "UsePam" set to "yes" > > pam.conf has something like this: > > other auth required pam_get_authtokYou mean "pam_authtok_get.so.1"? The example in pam.conf has it listed as "requisite", not sure if that matters.> other auth sufficient pam_krb5.so.1 use_first_pass > other auth required pam_unix.so.1 use_first_pass > > Now, If I log in via ssh as a user who has a Kerberos principal, > everything works just fine. If a local account is used, sshd segfaults. > If I remove the pam_krb5.so.1 reference auth line, the local user can > successfully authenticate. > > I'll gather more debugging info if this is not already a known problem.Not a known problem as far as I am aware. Please open a bug at http://bugzilla.mindrot.org and attach a debug trace ("/path/to/sshd -ddde"). The other thing you might like to try is this test rig: http://www.zip.com.au/~dtucker/patches/index.html#pamtest # gcc pam-test-harness.c -o pam-test-harness -lpam # ./pam-test-harness -s sshd -u youruser This will help determine if the problem lies in sshd or the pam module. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.