bugzilla-daemon at mindrot.org
2020-Sep-08 11:18 UTC
[Bug 3210] New: Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Bug ID: 3210
Summary: Confusing errors when pam_acct_mgmt() fails
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 3445
--> https://bugzilla.mindrot.org/attachment.cgi?id=3445&action=edit
pam: Correctly handle errors from pam_acct_mgmt
The fix for a bug #1188 introduced an unconditional override of return
value from pam_acct_mgmt(), setting PAM_ACCT_EXPIRED on any error from
account step.
It could have been 15 years ago, when there were not any other reasons
why this function could fail, but these days, there are at least
PAM_USER_UNKNOWN and PAM_PERM_DENIED (from Fedora 32 man pages). In
these cases, openssh goes into unexpected code paths giving confusing
error messages, such as:
pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0
tty=ssh ruser= rhost=client user=useruser
debug1: do_pam_account: called
pam_sss(sshd:account): Access denied for user useruser: 6 (Permission
denied)
debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
debug3: ssh_msg_send: type 13
debug3: PAM: User account has expired
error: PAM: User account has expired for useruser from client
As far as I read that, I do not see any recovery from either of these
errors worth retrying so I believe we should be fine handling them the
same as expired account though.
The attached is proposed patch, which should handle this use case as
well as the original issue in #1188. Tested in Fedora 32 with
pam_debug.so with respective return values as well as with expired
user.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Sep-08 11:43 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- FYI, it looks like the countermeasures against retrying the pam again are now implemented in the privilege separation and my tests end with the following errors: debug3: monitor_read: checking request 104 fatal: monitor_read: unpermitted request 104 so the patch might be simplified as it is no longer possible to call sshpam_init_ctx() at all if I follow the code and logs correctly. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Aug-25 12:03 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Darren Moffat <darren.moffat at oracle.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |darren.moffat at oracle.com
--- Comment #2 from Darren Moffat <darren.moffat at oracle.com> ---
Created attachment 3545
--> https://bugzilla.mindrot.org/attachment.cgi?id=3545&action=edit
Alternate proposal to preserve pam_acct_mgmt() return value
I'm adding a slightly different proposed patch, that I believe is both
more generic, in that all error values from pam_acct_mgmt() can be
passed through. It is also slightly smaller a change.
Unlike the prior patch it intentionally overrides a PAM_SUCCESS
sshpam_err value with the one from pam_acct_mgmt(). This is so that an
account that has successfully authenticate but for some other reason is
not allowed access "just now" has an appropriate error returned
(likely
PAM_PERM_DENIED).
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Aug-27 03:13 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
Attachment #3545|0 |1
is patch| |
Attachment #3545|application/octet-stream |text/plain
mime type| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Aug-27 03:17 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3339
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3339
[Bug 3339] Tracking bug for openssh-8.8
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Sep-13 06:28 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 --- Comment #3 from Darren Tucker <dtucker at dtucker.net> --- Comment on attachment 3545 --> https://bugzilla.mindrot.org/attachment.cgi?id=3545 Alternate proposal to preserve pam_acct_mgmt() return value I think I prefer this approach, however> sshpam_err = do_pam_account();[...]>- return (sshpam_account_status); >+ return (sshpam_err);do_pam_account returns u_int but sshpam_err is and pam_account_mgmt returns int. (sshpam_account_status is also an int but it's only used if it's set to 0 or 1) -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Oct-08 11:16 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3353
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3353
[Bug 3353] Tracking bug for openssh-8.9
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Oct-08 11:16 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3339 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3339
[Bug 3339] Tracking bug for openssh-8.8
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Feb-25 02:53 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3353 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3353
[Bug 3353] Tracking bug for openssh-8.9
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Feb-25 02:54 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3395
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3395
[Bug 3395] Tracking bug for openssh-9.0
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Apr-08 01:58 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3418
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3418
[Bug 3418] tracking bug for openssh-9.1
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Apr-08 02:01 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3395 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3395
[Bug 3395] Tracking bug for openssh-9.0
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Oct-04 10:56 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3480
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3480
[Bug 3480] tracking bug for openssh-9.1
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Oct-04 10:56 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3418 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3418
[Bug 3418] tracking bug for openssh-9.1
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Feb-04 06:55 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3533
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3533
[Bug 3533] tracking bug for openssh-9.3
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Feb-04 06:57 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3480 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3480
[Bug 3480] tracking bug for openssh-9.2
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-17 02:32 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3549
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3549
[Bug 3549] Tracking bug for OpenSSH 9.4
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-17 02:33 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3533 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3533
[Bug 3533] tracking bug for openssh-9.3
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-11 23:05 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3628
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3628
[Bug 3628] tracking bug for openssh-9.6
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-11 23:07 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3549 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3549
[Bug 3549] Tracking bug for OpenSSH 9.4
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Jan-09 22:21 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3651
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3651
[Bug 3651] tracking bug for openssh-9.7
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Jan-09 22:22 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3628 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3628
[Bug 3628] tracking bug for openssh-9.6
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Mar-25 00:32 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3674
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3674
[Bug 3674] Tracking bug for OpenSSH 9.8
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Mar-25 00:35 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3651 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3651
[Bug 3651] tracking bug for openssh-9.7
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- [Bug 3367] New: ssh-keyscan with non-22 port does not hash correct host
- [PATCH]: Call pam_chauthtok from keyboard-interactive.
- [Bug 3449] New: LocalForward doesn't support ~/path syntax for UNIX sockets
- [Bug 3343] New: Display host provided as argument with "ssh -G"
- Fix for USE_POSIX_THREADS in auth-pam.c