bugzilla-daemon at mindrot.org
2020-Sep-08 11:18 UTC
[Bug 3210] New: Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Bug ID: 3210 Summary: Confusing errors when pam_acct_mgmt() fails Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Created attachment 3445 --> https://bugzilla.mindrot.org/attachment.cgi?id=3445&action=edit pam: Correctly handle errors from pam_acct_mgmt The fix for a bug #1188 introduced an unconditional override of return value from pam_acct_mgmt(), setting PAM_ACCT_EXPIRED on any error from account step. It could have been 15 years ago, when there were not any other reasons why this function could fail, but these days, there are at least PAM_USER_UNKNOWN and PAM_PERM_DENIED (from Fedora 32 man pages). In these cases, openssh goes into unexpected code paths giving confusing error messages, such as: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=client user=useruser debug1: do_pam_account: called pam_sss(sshd:account): Access denied for user useruser: 6 (Permission denied) debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied) debug3: ssh_msg_send: type 13 debug3: PAM: User account has expired error: PAM: User account has expired for useruser from client As far as I read that, I do not see any recovery from either of these errors worth retrying so I believe we should be fine handling them the same as expired account though. The attached is proposed patch, which should handle this use case as well as the original issue in #1188. Tested in Fedora 32 with pam_debug.so with respective return values as well as with expired user. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Sep-08 11:43 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- FYI, it looks like the countermeasures against retrying the pam again are now implemented in the privilege separation and my tests end with the following errors: debug3: monitor_read: checking request 104 fatal: monitor_read: unpermitted request 104 so the patch might be simplified as it is no longer possible to call sshpam_init_ctx() at all if I follow the code and logs correctly. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Aug-25 12:03 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Moffat <darren.moffat at oracle.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |darren.moffat at oracle.com --- Comment #2 from Darren Moffat <darren.moffat at oracle.com> --- Created attachment 3545 --> https://bugzilla.mindrot.org/attachment.cgi?id=3545&action=edit Alternate proposal to preserve pam_acct_mgmt() return value I'm adding a slightly different proposed patch, that I believe is both more generic, in that all error values from pam_acct_mgmt() can be passed through. It is also slightly smaller a change. Unlike the prior patch it intentionally overrides a PAM_SUCCESS sshpam_err value with the one from pam_acct_mgmt(). This is so that an account that has successfully authenticate but for some other reason is not allowed access "just now" has an appropriate error returned (likely PAM_PERM_DENIED). -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Aug-27 03:13 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net Attachment #3545|0 |1 is patch| | Attachment #3545|application/octet-stream |text/plain mime type| | -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Aug-27 03:17 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3339 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3339 [Bug 3339] Tracking bug for openssh-8.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Sep-13 06:28 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 --- Comment #3 from Darren Tucker <dtucker at dtucker.net> --- Comment on attachment 3545 --> https://bugzilla.mindrot.org/attachment.cgi?id=3545 Alternate proposal to preserve pam_acct_mgmt() return value I think I prefer this approach, however> sshpam_err = do_pam_account();[...]>- return (sshpam_account_status); >+ return (sshpam_err);do_pam_account returns u_int but sshpam_err is and pam_account_mgmt returns int. (sshpam_account_status is also an int but it's only used if it's set to 0 or 1) -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Oct-08 11:16 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3353 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3353 [Bug 3353] Tracking bug for openssh-8.9 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Oct-08 11:16 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3339 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3339 [Bug 3339] Tracking bug for openssh-8.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Feb-25 02:53 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3353 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3353 [Bug 3353] Tracking bug for openssh-8.9 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Feb-25 02:54 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3395 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3395 [Bug 3395] Tracking bug for openssh-9.0 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Apr-08 01:58 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3418 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3418 [Bug 3418] tracking bug for openssh-9.1 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Apr-08 02:01 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3395 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3395 [Bug 3395] Tracking bug for openssh-9.0 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Oct-04 10:56 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3480 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3480 [Bug 3480] tracking bug for openssh-9.1 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Oct-04 10:56 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3418 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3418 [Bug 3418] tracking bug for openssh-9.1 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Feb-04 06:55 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3533 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3533 [Bug 3533] tracking bug for openssh-9.3 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Feb-04 06:57 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3480 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3480 [Bug 3480] tracking bug for openssh-9.2 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-17 02:32 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3549 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3549 [Bug 3549] Tracking bug for OpenSSH 9.4 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-17 02:33 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3533 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3533 [Bug 3533] tracking bug for openssh-9.3 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-11 23:05 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3628 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3628 [Bug 3628] tracking bug for openssh-9.6 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-11 23:07 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3549 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3549 [Bug 3549] Tracking bug for OpenSSH 9.4 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Jan-09 22:21 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3651 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Jan-09 22:22 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3628 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3628 [Bug 3628] tracking bug for openssh-9.6 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Mar-25 00:32 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3674 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Mar-25 00:35 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3651 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Jul-07 08:35 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3708 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3708 [Bug 3708] Tracking bug for OpenSSH 9.9 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Jul-07 08:42 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3674 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3674 [Bug 3674] Tracking bug for OpenSSH 9.8 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Sep-25 01:08 UTC
[Bug 3210] Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3708 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3708 [Bug 3708] Tracking bug for OpenSSH 9.9 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Seemingly Similar Threads
- [Bug 3367] New: ssh-keyscan with non-22 port does not hash correct host
- [Bug 3449] New: LocalForward doesn't support ~/path syntax for UNIX sockets
- [Bug 2687] New: Coverity scan fixes
- [Bug 3289] New: Patch fixing the issues found by coverity scan
- [Bug 3512] New: net-misc/openssh-9.1_p1: stopped accepting connections after upgrade to sys-libs/glibc-2.36 (fatal: ssh_sandbox_violation: unexpected system call)