openssh bugs - Apr 2008 - [Bug 926] pam_session_close called as user or not at all

https://bugzilla.mindrot.org/show_bug.cgi?id=926


Jan Engelhardt <jengelh at gmx.de> changed:

           What    |Removed                     |Added                       
----------------------------------------------------------------------------
                 CC|                            |jengelh at gmx.de              




--- Comment #33 from Jan Engelhardt <jengelh at gmx.de>  2008-04-12
16:10:34 ---
To comment #20:
Modules do not seem to be able to do converse (in 5.0p1). pam_mount for
example is affected by this (ideally it would just grab the authtoken
from the auth stage but sadly enough openssh destroys the pam context
and instead starts a new one for session stage).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter.

https://bugzilla.mindrot.org/show_bug.cgi?id=926





--- Comment #34 from Darren Tucker <dtucker at zip.com.au>  2008-04-12
19:05:00 ---
(In reply to comment #33)
> To comment #20:
> Modules do not seem to be able to do converse (in 5.0p1). pam_mount for
> example is affected by this (ideally it would just grab the authtoken
> from the auth stage but sadly enough openssh destroys the pam context
> and instead starts a new one for session stage).
That's a separate issue (see bug #688), however I think it only applies
for challenge-response type authentications.

You can probably work around it by disabling
ChallengeResponseAuthentication in sshd_config or using password
authentication (as opposed to keyboard-interactive, with an OpenSSH
client that's "ssh -o preferredauthentications=password server").

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter.

https://bugzilla.mindrot.org/show_bug.cgi?id=926





--- Comment #35 from Jan Engelhardt <jengelh at gmx.de>  2008-04-12
22:10:57 ---
(from bug #926)
>> Modules do not seem to be able to do converse (in 5.0p1). pam_mount for
>> example is affected by this (ideally it would just grab the authtoken
>> from the auth stage but sadly enough openssh destroys the pam context
>> and instead starts a new one for session stage).
>
>That's a separate issue (see bug #688), however I think it only applies
>for challenge-response type authentications.
                                                                       
      >
>You can probably work around it by disabling
>ChallengeResponseAuthentication in sshd_config or using password
>authentication (as opposed to keyboard-interactive, with an OpenSSH
>client that's "ssh -o preferredauthentications=password
server").
Unfortunately, that does not do it either. CRA is set to no,
PasswordAuthentication set to yes, no pubkey in ~/.ssh. According to
sshd -ddd, it's still conversation error.

pam_mount(pam_mount.c:518) error trying to retrieve authtok from auth
code
pam_mount(pam_mount.c:208) enter read_password
debug3: PAM: sshpam_store_conv called with 1 messages
pam_mount(pam_mount.c:176) conv->conv(...): Conversation error

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter.