bugzilla-daemon at mindrot.org
2002-Oct-21 07:45 UTC
[Bug 419] New: HP-UX PAM problems with 3.5p1
http://bugzilla.mindrot.org/show_bug.cgi?id=419 Summary: HP-UX PAM problems with 3.5p1 Product: Portable OpenSSH Version: -current Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: michael_steffens at hp.com Hello, thanks very much for releasing OpenSSH 3.5p1! Unfortunately there are still problems with HP-UX PAM. The attached patch addresses a known one, and one that I haven't found any HP-UX related postings for. 1) pam_open_session() failure with privilege separation and HP-UX running in trusted mode. This is known and Dan Wanek has posted a patch for 3.4p1 fixing it on July 16: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102682619813556&w=2 It has got quite good comments and works fine here, but hasn't made it into 3.5p1. Why? I merged it into 3.5p1 (which exhibits the same problem) manually, and it still does fine, tested on 11.00 and 11.11. (If you decide to merge it into official source trees please remember to give credits to Dan rather than me for this portion :) 2) Failed deletion of credentials in do_pam_cleanup_proc() This issue seems to be old (observed with 3.1p1, 3.4p1, and 3.5p1 in both trusted and non-trusted mode, both with or without privilege separation). I'm not sure how critical this is, as 3.1p1 seems to run happily for many months without a visible impact, but error messages still look quite odd. On session termination sshd reports debug1: Cannot delete credentials[9]: Authentication failed in debug mode. ("Authentication failed" is reported with privsep. Without the reason given is "Permission denied".) When turning on debug logging in syslog, the messages corresponding to session termination are PAM: pam_close_session() PAM: load_function: successful load of pam_sm_close_session PAM: pam_setcred: error Authentication failed PAM: pam_end(): status = Authentication failed Strange enough that pam_end() is reported to have failed too, despite the sshd apparently got PAM_SUCCESS returned! I tried the system native login program to see how it is scheduling PAM session cleanup. Not at all, neither pam_close_session() nor pam_setcred() are being called. Only pam_end(), which is reported to be successful in syslog debug log. When omitting credentials deletion in sshd, and relying on pam_end() to do that implicitly, errors triggered by the daemon vanish, both with and without privsep: PAM: pam_close_session() PAM: load_function: successful load of pam_sm_close_session PAM: pam_end(): status = Success So it seems to be preferrable to skip credentials deletion on HP-UX... Cheers! Michael diff -u -r openssh-3.5p1/auth-pam.c openssh-3.5p1a/auth-pam.c --- openssh-3.5p1/auth-pam.c Sun Jul 28 22:24:08 2002 +++ openssh-3.5p1a/auth-pam.c Wed Oct 16 15:00:01 2002 @@ -186,12 +186,14 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#endif if (__pamh) { pam_retval = pam_end(__pamh, pam_retval); @@ -299,6 +301,18 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); session_opened = 1; +} + +/* Set the TTY after session is open */ +void do_pam_set_tty(const char *ttyname) { + int pam_retval; + if (ttyname != NULL) { + debug("PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } } /* Set PAM credentials */ diff -u -r openssh-3.5p1/auth-pam.h openssh-3.5p1a/auth-pam.h --- openssh-3.5p1/auth-pam.h Tue Jul 23 02:44:07 2002 +++ openssh-3.5p1a/auth-pam.h Wed Oct 16 10:00:40 2002 @@ -39,6 +39,7 @@ int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); +void do_pam_set_tty(const char *ttyname); void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); diff -u -r openssh-3.5p1/session.c openssh-3.5p1a/session.c --- openssh-3.5p1/session.c Thu Sep 26 02:38:50 2002 +++ openssh-3.5p1a/session.c Wed Oct 16 15:01:40 2002 @@ -454,7 +454,6 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); if (is_pam_password_change_required()) packet_disconnect("Password change required but no " @@ -581,7 +580,7 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, s->tty); + do_pam_set_tty(s->tty); do_pam_setcred(1); #endif @@ -1238,6 +1237,13 @@ * Reestablish them here. */ do_pam_setcred(0); + + /* + * We need to open the session here because PAM on HP-UX does not + * work after the call to permanently_set_uid. + */ + do_pam_session(pw->pw_name,NULL); + # endif /* USE_PAM */ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.