bugzilla-daemon at bugzilla.mindrot.org
2007-Dec-06 14:45 UTC
[Bug 1396] New: When pam-authentication thread ends, it doesn' t call the function pam_end
https://bugzilla.mindrot.org/show_bug.cgi?id=1396 Summary: When pam-authentication thread ends, it doesn't call the function pam_end Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: Linux Status: NEW Keywords: patch Severity: normal Priority: P2 Component: PAM support AssignedTo: bitbucket at mindrot.org ReportedBy: opensshbug at centrum.sk Created an attachment (id=1386) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1386) missing call of pam_end at the end of the authenticating thread I tried to use pam_abl module to avoid brute force dictionary attacks. It didn't work as I expected (but only for my ssh server). After some research I found out that the main thread in openssh creates another thread to authenticate the user. At the beginning of this thread the pam_abl module sets its own pam data with function pam_set_data. This module counts on that at the end of authentication those data are freed with given callback function. If the authentication was not successful, host and user are recorded in the database. However at the end of the thread which authenticates the user, the pam data are not explicitly freed (by example with function pam_end). I created the patch to fix it. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
Seemingly Similar Threads
- [Bug 1322] New: pam_end() is not called if authentication fails, which breaks pam-abl
- [Bug 632] PAM conversation function does not return when connection is aborted
- [Bug 1308] pam handling change breaks pam_abl module
- [Bug 2548] New: Make pam_set_data/pam_get_data work with OpenSSH
- [Bug 1308] pam handling change breaks pam_abl module