bugzilla-daemon at mindrot.org
2015-May-14 22:47 UTC
[Bug 2399] New: openssh server should fatal out when pam_setcred and pam_open_session fail
bugzilla.mindrot.org/show_bug.cgi?id=2399 Bug ID: 2399 Summary: openssh server should fatal out when pam_setcred and pam_open_session fail Product: Portable OpenSSH Version: 6.8p1 Hardware: Sparc OS: Solaris Status: NEW Severity: normal Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org Reporter: huieying.lee at oracle.com Created attachment 2621 --> bugzilla.mindrot.org/attachment.cgi?id=2621&action=edit bug fix to correctly handle pam_setcred and pam_open_session failure Currently, when the system has a PAM module configured for the auth PAM stack that does not actually exist, OpenSSH still allows a user to log in, if user authentication method is not keyboard-interactive or password. For example, in /etc/pam.d/other: auth required pam_dhkeys.so.1 auth required pam_do_not_exist.so.1 <----------- bad auth binding pam_unix_auth.so.1 server_policy In the above situation, pam_setcred() does return an error, but server only give a warning and still allow a user to log in if he/she doesn't use keyboard-interacitve user auth. This is not an expected behavior. OpenSSH server should be changed to exit out when pam_setcred() or pam_open_session() fail. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-May-15 03:46 UTC
[Bug 2399] openssh server should fatal out when pam_setcred and pam_open_session fail
bugzilla.mindrot.org/show_bug.cgi?id=2399 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Attachment #2621|application/octet-stream |text/plain mime type| | Attachment #2621|0 |1 is patch| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Reasonably Related Threads
- Patches to report rsaref build and to call pam_setcred
- pam_setcred fails for "USE_POSIX_THREADS + non-root users + PrivSep yes"
- pam_limits module bug and its effects on pam applications
- [Bug 2340] New: Openssh issue: unable to ssh the solaris server from ldap users
- lastlog on Solaris with PAM (patch included)