bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-17 19:40 UTC
[Bug 1322] New: pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Summary: pam_end() is not called if authentication fails, which breaks pam-abl Product: Portable OpenSSH Version: 4.6p1 Platform: Other URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405041 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: bitbucket at mindrot.org ReportedBy: kreiger at linuxgods.com Pam-abl (http://www.hexten.net/wiki/index.php/Pam_abl) is a PAM module that automatically blacklists hosts or users after a given number of failed authentication attempts. It relies on pam_end() being called by the pam application, and this is not done by sshd for failed authentication attempts. This is debian bug 405041, and i have confirmed that applying the patch found at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405041 makes pam-abl work again. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-17 23:57 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 --- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2007-06-18 09:57:50 --- Created an attachment (id=1307) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1307) Changeset that introduced the change in question. This is the changeset that introduced the change for reference. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:07 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #2 from Damien Miller <djm at mindrot.org> 2007-06-18 10:07:54 --- DO NOT apply the patch in the Debian bug. It will expose your system to the signal handler vulnerability fixed in openssh-4.4 This is the "difficult to fix" SIGALRM handler. We could make sshpam_cleanup() fire if do_cleanup was not called in signal context, but that would just open a different workaround for password guessers: make max_auth_tries-1 guesses and keep the connection open until it times out. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:16 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 --- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2007-06-18 10:16:43 --- Created an attachment (id=1308) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1308) Patch by Sandro Wefel from Debian bug #405041 Proposed patch from the Debian bug. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:17 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |dtucker at zip.com.au Blocks| |1289, 1305 --- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2007-06-18 10:17:36 --- Target next release -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:20 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1308|Patch by Sandro Wefel from |Patch by Sandro Wefel from description|Debian bug #405041 |Debian bug #405041 (don't | |use as per djm's comments) Attachment #1308|application/octet-stream |application/text mime type| | Attachment #1308 is|0 |1 obsolete| | -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:20 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1308|Patch by Sandro Wefel from |Patch by Sandro Wefel from description|Debian bug #405041 (don't |Debian bug #405041 |use as per djm's comments) | Attachment #1308|application/text |text/plain mime type| | Attachment #1308 is|0 |1 patch| | Attachment #1308 is|1 |0 obsolete| | Attachment #1308| |ok- Flag| | --- Comment #5 from Damien Miller <djm at mindrot.org> 2007-06-18 10:20:43 --- (From update of attachment 1308) as per comment #2 -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:21 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1308|Patch by Sandro Wefel from |Patch by Sandro Wefel from description|Debian bug #405041 |Debian bug #405041 (don't | |use as per djm's comments) Attachment #1308 is|0 |1 obsolete| | -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jul-11 14:47 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 --- Comment #6 from Sandro Wefel <sandro.wefel at informatik.uni-halle.de> 2007-07-12 00:47:03 --- Created an attachment (id=1325) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1325) Patch for do_cleanup with respect to the signal handler vulnerability fixed in openssh-4.4 -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jul-11 15:17 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Sandro Wefel <sandro.wefel at informatik.uni-halle.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sandro.wefel at informatik.uni- | |halle.de --- Comment #7 from Sandro Wefel <sandro.wefel at informatik.uni-halle.de> 2007-07-12 01:17:41 --- Please have a look at the attached patch (id=1325). The idea is to call sshpam_cleanup() if authctxt->authenticated is not set before the KRB5 and GSSAPI blocks. After the pam-call we just return from the function do_cleanup(). This means that krb5_cleanup_proc(authctxt) is not called with an invalid parameter but the sshpam_cleanup() is done which leads to the pam_end call. IMHO this should avoid the signal handler race condition CVE-2006-5051 in krb5_cleanup_proc but calls pam_end() if the user authentication fails. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-10 04:09 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1325|text/x-patch |text/plain mime type| | Attachment #1325 is|0 |1 patch| | -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-13 13:21 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1325 is|0 |1 obsolete| | Attachment #1307 is|0 |1 obsolete| | --- Comment #8 from Darren Tucker <dtucker at zip.com.au> 2007-08-13 23:21:31 --- Created an attachment (id=1339) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1339) Patch #1325 with dead code removed. Damien points out that this makes the existing PAM cleanup code unnecessary. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-13 13:22 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1339| |ok+ Flag| | -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-15 13:29 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |feldt at nhn.ou.edu --- Comment #9 from Darren Tucker <dtucker at zip.com.au> 2007-08-15 23:29:08 --- *** Bug 1308 has been marked as a duplicate of this bug. *** -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-15 13:48 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1339 is|0 |1 obsolete| | Attachment #1339|ok+ |ok- Flag| | --- Comment #10 from Darren Tucker <dtucker at zip.com.au> 2007-08-15 23:48:19 --- (From update of attachment 1339) Oops, the patch is wrong; it won't clean up after authenticated connections. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-15 13:51 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 --- Comment #11 from Darren Tucker <dtucker at zip.com.au> 2007-08-15 23:51:33 --- Created an attachment (id=1342) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1342) Allow PAM cleanup for unathenticated connections based on previous I think this is the simplest patch that does what is required. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-15 16:22 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 --- Comment #12 from Sandro Wefel <sandro.wefel at informatik.uni-halle.de> 2007-08-16 02:22:19 --- The last patch works for me like my patch on all tested architectures and machines in combination with pam_abl. Good work. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-16 03:52 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1342| |ok+ Flag| | --- Comment #13 from Damien Miller <djm at mindrot.org> 2007-08-16 13:52:47 --- (From update of attachment 1342) ok for 4.7 -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-16 13:30 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #14 from Darren Tucker <dtucker at zip.com.au> 2007-08-16 23:29:59 --- Applied, thanks to all. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Apr-03 22:59 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
https://bugzilla.mindrot.org/show_bug.cgi?id=1322 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #15 from Damien Miller <djm at mindrot.org> 2008-04-04 09:59:54 --- Close resolved bugs after release. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- Using NID_x500UniqueIdentifier as ssl_username_from_cert
- [Bug 1396] New: When pam-authentication thread ends, it doesn' t call the function pam_end
- Fix for USE_POSIX_THREADS in auth-pam.c
- Using samba as a PDC with win2k clients
- Access request to Virt SIG wiki