bugzilla-daemon at mindrot.org
2004-Jun-17 20:15 UTC
[Bug 881] PAM: authentication thread exited unexpectedly
http://bugzilla.mindrot.org/show_bug.cgi?id=881
Summary: PAM: authentication thread exited unexpectedly
Product: Portable OpenSSH
Version: 3.8p1
Platform: UltraSparc
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: a at wynes.com
CC: a at wynes.com
Relevant components of our environment:
Solaris 8
Sun Resource Manager 1.3 (SRM) with all published patches.
OpenSSH 3.8.1p1
We're having an issue where SSH logins using PAM authentication are
failing for certain accounts (those without SRM lnodes). The client
receives a "Connection Closed" message and sshd logs the message
"fatal: PAM:
authentication thread exited unexpectedly".
With SRM, the kernel uses lnodes (Limit nodes) associated with uids to
track usage and allocation for RAM, CPU and logins.
An lnode can be created manually after the userid has been created or
automatically the first time a user logs in. This is done by a PAM
module - pam_srm.
http://docs.sun.com/db/doc/816-7750/6mdo1u7fr?q=pam_srm&a=view
If the account logging in does not have an lnode, the module runs a script
/etc/srm/nolnode to generate one. SSH is exiting as a result of calling this
PAM module - if I comment out that PAM module the user can log in. lnodes are
only created once, unless deleted by root.
Observations:
o If the user has an existing lnode, they can log in fine.
o This functionality worked with OpenSSH 3.7.1p1.
o If UsePassword or RSAAuthentication are used instead of PAM the users can log
in fine.
o We use PrivilegeSeparation. It happens if that is turned off/on.
o The /etc/srm/nolnode script is never running - I've made changes to
verify.
o The logins succeed if pam_srm is commented out in pam.conf. That's our
work-around but it means those logins are not controlled by SRM.
This looks like a bug with SRM but I don't understand why it wasn't an
issue with OpenSSH 3.7.1p1. If it's obviously a problem with pam_srm
can you tell me what it would be doing to cause sshd to log the "exited
unexpectedly" message. A SEGFAULT?
Thanks.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Jun-17 20:19 UTC
[Bug 881] PAM: authentication thread exited unexpectedly
http://bugzilla.mindrot.org/show_bug.cgi?id=881 ------- Additional Comments From a at wynes.com 2004-06-18 06:19 ------- Created an attachment (id=649) --> (http://bugzilla.mindrot.org/attachment.cgi?id=649&action=view) truss showing pam_srm open and error This truss is from an sshd -ddd. It shows the point in execution where pam_srm is called and continues until the process exits. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Jun-17 20:39 UTC
[Bug 881] PAM: authentication thread exited unexpectedly
http://bugzilla.mindrot.org/show_bug.cgi?id=881
a at wynes.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|3.8p1 |3.8.1p1
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Jun-18 01:54 UTC
[Bug 881] PAM: authentication thread exited unexpectedly
http://bugzilla.mindrot.org/show_bug.cgi?id=881 ------- Additional Comments From dtucker at zip.com.au 2004-06-18 11:54 ------- The trace looks like a segfault. Did it leave a core file (eg in /)? The message is because sshd attempts to trap the case where the PAM "thread" bombs out. (We were seing this when, eg, a PAM module crashed, and it would hang sshd). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Jun-18 03:36 UTC
[Bug 881] PAM: authentication thread exited unexpectedly
http://bugzilla.mindrot.org/show_bug.cgi?id=881 ------- Additional Comments From a at wynes.com 2004-06-18 13:36 ------- No, no core files. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Jun-18 03:43 UTC
[Bug 881] PAM: authentication thread exited unexpectedly
http://bugzilla.mindrot.org/show_bug.cgi?id=881 ------- Additional Comments From dtucker at zip.com.au 2004-06-18 13:43 ------- You can use coreadm to put them some place handy (I use /var/core/). I think the command is "coreadm -g /var/core/core.%f.%p", but check the man page and adjust to local conditions. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Jun-18 21:05 UTC
[Bug 881] PAM: authentication thread exited unexpectedly
http://bugzilla.mindrot.org/show_bug.cgi?id=881 ------- Additional Comments From a at wynes.com 2004-06-19 07:05 ------- Created an attachment (id=650) --> (http://bugzilla.mindrot.org/attachment.cgi?id=650&action=view) SSHD Core File The default has global setid core dumps disabled. I enabled it, here's the gzipped core. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.