openssh unix dev - Feb 2000 - [Colin Watson <cjw44@cam.ac.uk>] Bug#49902: [PATCH] Bug#49902: ssh and pam conspire to deny logins

Hi,

Here's a helpful patch from one of our (Debian's) users.

I'd guess that the similar if/xfree a few lines above in the #if PAM
section could do with the same treatment.

Cheers, Phil.

--[[message/rfc822]]
Date: Sat, 29 Jan 2000 11:11:32 +0000
From: Colin Watson <cjw44 at cam.ac.uk>
To: 49902 at bugs.debian.org

[Bug was that when sshing one's password is denied, apparently by PAM.]

Firstly, moving (or linking) /etc/pam.d/ssh to /etc/pam.d/sshd as
suggested doesn't help me; I still get:

[cjw44 at quicksilver ~]$ ssh riva
cjw44 at cjw44.trin.cam.ac.uk's password: [fx: types in correct password]
Connection closed by 131.111.193.196

This bug has an interesting interaction with identities. I only
experience this bug when sshing from an account with an identity file in
~/.ssh/identity to an account which is not set up to recognize that
identity. A temporary workaround is to specify an identity file which
isn't, as follows:

[cjw44 at quicksilver ~]$ ssh -i /dev/null riva
cjw44 at cjw44.trin.cam.ac.uk's password: [fx: types in correct password]
Last login: Sat Jan 29 09:14:17 2000 from quicksilver.trin.cam.ac.uk
[...]

Running sshd in debugging mode reveals that it segfaults after receiving
my password, but only if it had previously attempted to authenticate me
based on an identity file. MALLOC_CHECK_ was my friend! A patch (whose
purpose should be obvious) follows:

--- sshd.c.orig Sat Jan 29 11:00:50 2000
+++ sshd.c      Sat Jan 29 11:01:29 2000
@@ -1414,8 +1414,10 @@
                        return;
                }
 
-               if (client_user != NULL)
+               if (client_user != NULL) {
                        xfree(client_user);
+                       client_user = NULL;
+               }
 
                if (attempt > AUTH_FAIL_MAX)
                        packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);

This should close this bug and #54894 (which I don't believe would have
posed security problems), and with a bit of luck might yield more clues
to #51306 as well.

HTH,

-- 
Colin Watson                                           [cjw44 at cam.ac.uk]


--[[text/plain]]