bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-16 19:32 UTC
[Bug 1799] New: Unable to login through PAM on Solaris 8 x86 due to PAM_TTY
https://bugzilla.mindrot.org/show_bug.cgi?id=1799
Summary: Unable to login through PAM on Solaris 8 x86 due to
PAM_TTY
Product: Portable OpenSSH
Version: 5.5p1
Platform: ix86
OS/Version: Solaris
Status: NEW
Severity: major
Priority: P2
Component: PAM support
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: kstemen at likewise.com
Created attachment 1899
--> https://bugzilla.mindrot.org/attachment.cgi?id=1899
test program that shows what kind of ttys are accepted
I downloaded openssh 5.5p1 for Solaris 8 x86 from Sunfreeware at
ftp://ftp.sunfreeware.com/pub/freeware/intel/8/openssh-5.5p1-sol8-x86-local.gz
.
If I set the UsePAM setting to yes, then no user is able to login. When
the server is running with debugging, the client shows:
$ ssh testuser at 10.100.3.175
Password:
Last login: Fri Jul 16 19:17:14 2010 from kyle-vmserver.c
Sun Microsystems Inc. SunOS 5.8 Generic February 2000
debug3: PAM session not opened, exiting
Connection to 10.100.3.175 closed.
$
The error on the server is:
debug3: PAM: opening session
PAM: pam_open_session(): Can not make/remove entry for session
I have determined the problem is that pam_unix.so.1 does not like the
value of PAM_TTY. I see this in the source code:
#ifdef PAM_TTY_KLUDGE
/*
* Some silly PAM modules (e.g. pam_time) require a TTY to operate.
* sshd doesn't set the tty until too late in the auth process and
* may not even set one (for tty-less connections)
*/
debug("PAM: setting PAM_TTY to \"ssh\"");
sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh");
if (sshpam_err != PAM_SUCCESS) {
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
return (-1);
}
#endif
I can tell that Sunfreeware did define PAM_TTY_KLUDGE, because I see
this in the server's debug output:
debug1: PAM: setting PAM_TTY to "ssh"
I wrote a test program to show that Solaris 8 does not like this value
(attached). Here is the output from the program:
bash-2.03# gcc -Wall -Werror -lpam try_tty.c -o try_tty
bash-2.03# ./try_tty
Trying without PAM_TTY set
opensession: Can not make/remove entry for session
Trying with PAM_TTY set to 'ssh'
opensession: Can not make/remove entry for session
Trying with PAM_TTY set to '/dev/ssh'
opensession: Success
bash-2.03# ls -l /dev/ssh
/dev/ssh: No such file or directory
bash-2.03# cat /etc/release
Solaris 8 2/02 s28x_u7wos_08a INTEL
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved.
Assembled 18 December 2001
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-16 19:35 UTC
[Bug 1799] Unable to login through PAM on Solaris 8 x86 due to PAM_TTY
https://bugzilla.mindrot.org/show_bug.cgi?id=1799 --- Comment #1 from Kyle Stemen <kstemen at likewise.com> --- Created attachment 1900 --> https://bugzilla.mindrot.org/attachment.cgi?id=1900 output of 'showrev -p' on solaris system -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-19 03:29 UTC
[Bug 1799] Unable to login through PAM on Solaris 8 x86 due to PAM_TTY
https://bugzilla.mindrot.org/show_bug.cgi?id=1799
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
Can you reproduce the problem with the vanilla source from
www.openssh.com or is it specific to the build supplied by sunfreeware?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-19 16:18 UTC
[Bug 1799] Unable to login through PAM on Solaris 8 x86 due to PAM_TTY
https://bugzilla.mindrot.org/show_bug.cgi?id=1799 --- Comment #3 from Kyle Stemen <kstemen at likewise.com> --- Sunfreeware has applied no patches. I compared their source tarball against the one on openssh.com. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-20 02:01 UTC
[Bug 1799] Unable to login through PAM on Solaris 8 x86 due to PAM_TTY
https://bugzilla.mindrot.org/show_bug.cgi?id=1799 --- Comment #4 from Darren Tucker <dtucker at zip.com.au> --- Your test program works fine on my solaris 8 (sparc) machine but it doesn't have recent patches. I suspect the problem is either introduced in a patch or specific to the x86 version (unlikely). Changing the kludge to /dev/ssh is a possibility but I am concerned this may impact other platforms negatively. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-20 02:01 UTC
[Bug 1799] Unable to login through PAM on Solaris 8 x86 due to PAM_TTY
https://bugzilla.mindrot.org/show_bug.cgi?id=1799 --- Comment #5 from Darren Tucker <dtucker at zip.com.au> --- Created attachment 1906 --> https://bugzilla.mindrot.org/attachment.cgi?id=1906 openssh-pam_tty.patch PAM_TTY_KLUDGE ssh -> /dev/ssh -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-20 16:03 UTC
[Bug 1799] Unable to login through PAM on Solaris 8 x86 due to PAM_TTY
https://bugzilla.mindrot.org/show_bug.cgi?id=1799 --- Comment #6 from Kyle Stemen <kstemen at likewise.com> --- My Solaris machine does not have the latest patches either. Could you attach the output of 'showrev -p' from your Solaris 8 machine? That command lists the installed patches on the machine. I could compare it with the patches from my system. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-23 05:04 UTC
[Bug 1799] Unable to login through PAM on Solaris 8 x86 due to PAM_TTY
https://bugzilla.mindrot.org/show_bug.cgi?id=1799 --- Comment #7 from Darren Tucker <dtucker at zip.com.au> --- Created attachment 1907 --> https://bugzilla.mindrot.org/attachment.cgi?id=1907 showrev -p from my solaris 8/sparc machine -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-23 16:20 UTC
[Bug 1799] Unable to login through PAM on Solaris 8 x86 due to PAM_TTY
https://bugzilla.mindrot.org/show_bug.cgi?id=1799 --- Comment #8 from Kyle Stemen <kstemen at likewise.com> --- I am not having trouble on Solaris 8 Sparc either. The difficulty is that different patches apply to Sparc and x86. Do you have a Solaris 8 x86 machine to try it on? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.