openssh bugs - Jul 2010 - [Bug 1799] New: Unable to login through PAM on Solaris 8 x86 due to PAM_TTY

https://bugzilla.mindrot.org/show_bug.cgi?id=1799

           Summary: Unable to login through PAM on Solaris 8 x86 due to
                    PAM_TTY
           Product: Portable OpenSSH
           Version: 5.5p1
          Platform: ix86
        OS/Version: Solaris
            Status: NEW
          Severity: major
          Priority: P2
         Component: PAM support
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: kstemen at likewise.com


Created attachment 1899
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1899
test program that shows what kind of ttys are accepted

I downloaded openssh 5.5p1 for Solaris 8 x86 from Sunfreeware at
ftp://ftp.sunfreeware.com/pub/freeware/intel/8/openssh-5.5p1-sol8-x86-local.gz
.

If I set the UsePAM setting to yes, then no user is able to login. When
the server is running with debugging, the client shows:
$ ssh testuser at 10.100.3.175 
Password: 
Last login: Fri Jul 16 19:17:14 2010 from kyle-vmserver.c
Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
debug3: PAM session not opened, exiting
Connection to 10.100.3.175 closed.
$ 

The error on the server is:
debug3: PAM: opening session
PAM: pam_open_session(): Can not make/remove entry for session

I have determined the problem is that pam_unix.so.1 does not like the
value of PAM_TTY. I see this in the source code:
#ifdef PAM_TTY_KLUDGE
    /*
     * Some silly PAM modules (e.g. pam_time) require a TTY to operate.
     * sshd doesn't set the tty until too late in the auth process and
     * may not even set one (for tty-less connections)
     */
    debug("PAM: setting PAM_TTY to \"ssh\"");
    sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh");
    if (sshpam_err != PAM_SUCCESS) {
        pam_end(sshpam_handle, sshpam_err);
        sshpam_handle = NULL;
        return (-1);
    }
#endif


I can tell that Sunfreeware did define PAM_TTY_KLUDGE, because I see
this in the server's debug output:
debug1: PAM: setting PAM_TTY to "ssh"

I wrote a test program to show that Solaris 8 does not like this value
(attached). Here is the output from the program:
bash-2.03# gcc -Wall -Werror -lpam try_tty.c -o try_tty
bash-2.03# ./try_tty  
Trying without PAM_TTY set
opensession: Can not make/remove entry for session
Trying with PAM_TTY set to 'ssh'
opensession: Can not make/remove entry for session
Trying with PAM_TTY set to '/dev/ssh'
opensession: Success
bash-2.03# ls -l /dev/ssh
/dev/ssh: No such file or directory
bash-2.03# cat /etc/release 
                       Solaris 8 2/02 s28x_u7wos_08a INTEL
           Copyright 2002 Sun Microsystems, Inc.  All Rights Reserved.
                           Assembled 18 December 2001

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1799

--- Comment #1 from Kyle Stemen <kstemen at likewise.com>  ---
Created attachment 1900
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1900
output of 'showrev -p' on solaris system

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1799

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #2 from Darren Tucker <dtucker at zip.com.au>  ---
Can you reproduce the problem with the vanilla source from
www.openssh.com or is it specific to the build supplied by sunfreeware?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1799

--- Comment #3 from Kyle Stemen <kstemen at likewise.com>  ---
Sunfreeware has applied no patches. I compared their source tarball
against the one on openssh.com.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1799

--- Comment #4 from Darren Tucker <dtucker at zip.com.au>  ---
Your test program works fine on my solaris 8 (sparc) machine but it
doesn't have recent patches.  I suspect the problem is either
introduced in a patch or specific to the x86 version (unlikely).

Changing the kludge to /dev/ssh is a possibility but I am concerned
this may impact other platforms negatively.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1799

--- Comment #5 from Darren Tucker <dtucker at zip.com.au>  ---
Created attachment 1906
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1906
openssh-pam_tty.patch

PAM_TTY_KLUDGE ssh -> /dev/ssh

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1799

--- Comment #6 from Kyle Stemen <kstemen at likewise.com>  ---
My Solaris machine does not have the latest patches either.

Could you attach the output of 'showrev -p' from your Solaris 8
machine? That command lists the installed patches on the machine. I
could compare it with the patches from my system.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1799

--- Comment #7 from Darren Tucker <dtucker at zip.com.au>  ---
Created attachment 1907
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1907
showrev -p from my solaris 8/sparc machine

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1799

--- Comment #8 from Kyle Stemen <kstemen at likewise.com>  ---
I am not having trouble on Solaris 8 Sparc either. The difficulty is
that different patches apply to Sparc and x86.

Do you have a Solaris 8 x86 machine to try it on?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.