We've been having trouble with OpenSSH 2.9p2, running on Solaris 8
(a domain of an E10k), with PAM authentication turned on. It
intermittently crashes with signal 11 (seg fault) after the password
is entered, after the MOTD is displayed, but before control is passed
over to the login shell. I eventually managed to persuade sshd's child
process to consistently crash, upon entry of an invalid password (of
nine characters in length initially; subsequent tests worked for a
password of just five characters ["hello", for what it's worth :)
]),
followed by the correct password.
Investigation (using copious debug() statements) has isolated the problem
down to one line of code:
pam_retval = pam_setcred(__pamh,
init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
in auth-pam.c, function do_pam_setcred(). It appears that this function
is being called twice: once with init set, once without (ie: once with
PAM_ESTABLISH_CRED, once with PAM_REINITIALIZE_CRED). It's on the call
to pam_setcred(__pamh, PAM_REINITIALIZE_CRED) that the seg fault occurs.
To clarify why we're using PAM: the system in question is set up to
communicate with a Kerberos server, with all authentication being done
using Kerberos. It's somewhat easier to do all of that with PAM than to
try to replace login, etc.
There's also been the question of whether do_pam_setcred() should be called
before or after the uid has been set to the user's. Changing the code to
call do_pam_setcred() after the call to permanently_set_uid(), however,
seems to make no difference to the crashing.
Any clues would be very much appreciated. sshd is now at the point where it
*mostly* works; it'd just be nice to get it to the point where it
*completely*
works, no ifs, buts, or maybes :) Otherwise, I foresee myself going bald in
a very short space of time. *wry smile*
Ta muchly,
Stuart.
Darren J Moffat
2001-Aug-28 18:45 UTC
OpenSSHd barfs upon reauthentication: PAM, Solaris 8
On Tue, 28 Aug 2001, Stuart Lamble wrote:> To clarify why we're using PAM: the system in question is set up to > communicate with a Kerberos server, with all authentication being done > using Kerberos. It's somewhat easier to do all of that with PAM than to > try to replace login, etc.Are you using the pam_krb5 module shipped with Solaris ? Does pam_krb5 work properly for you when used with dtlogin or /bin/login (ie login at the console).> There's also been the question of whether do_pam_setcred() should be called > before or after the uid has been set to the user's. Changing the code to > call do_pam_setcred() after the call to permanently_set_uid(), however, > seems to make no difference to the crashing.It has to before you give up root creds since there are assumptions in some PAM modules that it can do things only root can do (making private nfs system calls to pass creds down to the kernel for use by NFS). Does sshd work for you when you use pam_unix instead of pam_krb5 ? Are you using only pam_krb5 ? Are you doing authentication via PAM or via publickey ? (This I think is could be the critical part because I have a feeling there is an assumption in the pam_krb5 module that pam_sm_setcred is only being called after pam_sm_authenticate. -- Darren J Moffat
Maybe Matching Threads
- reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
- reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
- [Bug 1339] New: pam_dhkeys doesn't work ( PAM_REINITIALIZE_CRED without PAM_ESTABLISH_CRED)
- pam session as root
- [Bug 127] New: PAM with ssh authentication and pam_krb5 doesn't work properly