openssh bugs - Jun 2008 - [Bug 926] pam_session_close called as user or not at all

https://bugzilla.mindrot.org/show_bug.cgi?id=926


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org




--- Comment #36 from Damien Miller <djm at mindrot.org>  2008-06-30
17:39:52 ---
pam_mount tries to ask a password from the user*, which puts it in
challenge-response case of needing more than one interaction. Since
session modules can't interact with the user other than to display
messages, you'd also need to put it in the PAM accounting stack. This
is what bug #688 is about, and isn't related to this one
(pam_session_close behaviour).

IMO this bug can be closed with the release of openssh-4.8p1. Darren,
do you agree? Isn't this also incorrectly marked as blocking 5.1?

* See
http://www.google.com/codesearch?hl=en&q=show:9Q9GBXVnR7k:chgFMim3giQ:glu2lh4-EfU&sa=N&ct=rd&cs_p=http://open-systems.ufl.edu/mirrors/gentoo/distfiles/pam_mount-0.18.tar.bz2&cs_f=pam_mount-0.18/src/pam_mount.c&start=1#l195

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter.

https://bugzilla.mindrot.org/show_bug.cgi?id=926





--- Comment #37 from Darren Tucker <dtucker at zip.com.au>  2008-06-30
20:25:45 ---
(In reply to comment #36)
> pam_mount tries to ask a password from the user*, which puts it in
> challenge-response case of needing more than one interaction. Since
> session modules can't interact with the user other than to display
> messages, you'd also need to put it in the PAM accounting stack. This
> is what bug #688 is about, and isn't related to this one
> (pam_session_close behaviour).
> 
> IMO this bug can be closed with the release of openssh-4.8p1. Darren,
> do you agree? Isn't this also incorrectly marked as blocking 5.1?
The thing is it (pam_mount) probably used to work with at least
privsep=no, because the session wasn't opened until the pty had been
allocated, thus the modules could interact using the tty conversation
function.  So, this is a regression (I what I was worried about in
comment #27).

Now that the session is opened in the monitor, the session modules
can't interact with the user.  On the flip side, the session close now
runs with  privilege.

So, take the bug out of the 5.1 list, but I wouldn't close it yet.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter.

https://bugzilla.mindrot.org/show_bug.cgi?id=926


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1452                        |




-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter.