bugzilla-daemon at mindrot.org
2015-May-14 22:47 UTC
[Bug 2399] New: openssh server should fatal out when pam_setcred and pam_open_session fail
https://bugzilla.mindrot.org/show_bug.cgi?id=2399
Bug ID: 2399
Summary: openssh server should fatal out when pam_setcred and
pam_open_session fail
Product: Portable OpenSSH
Version: 6.8p1
Hardware: Sparc
OS: Solaris
Status: NEW
Severity: normal
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: huieying.lee at oracle.com
Created attachment 2621
--> https://bugzilla.mindrot.org/attachment.cgi?id=2621&action=edit
bug fix to correctly handle pam_setcred and pam_open_session failure
Currently, when the system has a PAM module configured for the auth PAM
stack that does not actually exist, OpenSSH still allows a user to log
in, if user authentication method is not keyboard-interactive or
password.
For example, in /etc/pam.d/other:
auth required pam_dhkeys.so.1
auth required pam_do_not_exist.so.1 <----------- bad
auth binding pam_unix_auth.so.1 server_policy
In the above situation, pam_setcred() does return an error, but
server only give a warning and still allow a user to log in if he/she
doesn't use keyboard-interacitve user auth.
This is not an expected behavior. OpenSSH server should be changed to
exit out when pam_setcred() or pam_open_session() fail.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-May-15 03:46 UTC
[Bug 2399] openssh server should fatal out when pam_setcred and pam_open_session fail
https://bugzilla.mindrot.org/show_bug.cgi?id=2399
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
Attachment #2621|application/octet-stream |text/plain
mime type| |
Attachment #2621|0 |1
is patch| |
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Seemingly Similar Threads
- Patches to report rsaref build and to call pam_setcred
- pam_setcred fails for "USE_POSIX_THREADS + non-root users + PrivSep yes"
- pam_limits module bug and its effects on pam applications
- [Bug 2340] New: Openssh issue: unable to ssh the solaris server from ldap users
- lastlog on Solaris with PAM (patch included)