openssh bugs - Mar 2005 - [Bug 1002] sshd does not report failed PAM session modules to the client side

http://bugzilla.mindrot.org/show_bug.cgi?id=1002

           Summary: sshd does not report failed PAM session modules to the
                    client side
           Product: Portable OpenSSH
           Version: 4.0p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: tryponraj at gmail.com


sshd does not report failed PAM session modules to the client side.
But sshd with " -e " option reports correctly.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1002





------- Additional Comments From dtucker at zip.com.au  2005-03-18 22:44 -------
Hmm, I thought that was fixed with 4.0p1.  Which platform and PAM modules are
you using?  Can you give an example of what you mean by "sshd with "
-e " option
reports correctly"?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1002





------- Additional Comments From tryponraj at gmail.com  2005-03-19 14:54
-------
We are using libpam_unix.1 in HP-UX and we renamed it's entry in pam.conf
file
as "libpam_unix.1_invalid".Server does not report about
"libpam_unix.1_invalid"
to the client.
Server :
/opt/ssh/sbin/sshd -e -o "UsePAM yes" -o "UsePrivilegeSepraration
no "
Client :
ssh localhost 
Password :
PAM: pam_open_session(): Can not make/remove entry for session
Connection to localhost closed 

We missed that even -e option failed to report session module name to the 
client.





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1002





------- Additional Comments From dtucker at zip.com.au  2005-03-19 15:23 -------
If you deliberately (or otherwise) break your PAM config then there's
nothing
much sshd can do about it.  PAM deliberately does not tell the application
anything about the modules involved so sshd has no way of knowing.

BTW the "PAM: pam_open_session()" error sent to the client is only
there because
you specified "-e".  Under normal circumstances that would go to
syslog.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1002





------- Additional Comments From tryponraj at gmail.com  2005-03-19 21:13
-------
Following error message is not reported to neither syslog nor user for 
privilege separated user 

error: PAM: pam_open_session(): Can not make/remove entry for session



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1002





------- Additional Comments From dtucker at zip.com.au  2005-03-20 20:38 -------
OK, let me rephrase that: it *should* be logged to syslog.  If it's not then
it's probably something that can be fixed.

What are you trying to achieve by disabling libpam_unix in pam.conf?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1002





------- Additional Comments From dtucker at zip.com.au  2005-03-20 22:11 -------
What version of HP-UX is this (ie the "Can not make/remove entry"
thing?)  I
can't reproduce on 11.00, it logs this from sshd with privsep=yes:

open_module: stat(/usr/lib/security/libpam_unix.1.not) failed: No such file or
directory
load_modules: can not open module /usr/lib/security/libpam_unix.1.not
error: PAM: pam_open_session(): Can not make/remove entry for session



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.