Frank Mohr
2004-Apr-06 08:28 UTC
different PAM/ssh server-session sequences for root and regular users?
Hi I just noticed different sequences of PAM/ssh-session calls. (env: OpenSSH 3.8p1 on Linux with PAM-0.75) The channel 0 (server-session) seems to be startet very early for root and and after the pam-session is started for regular users. As a result, regular users don't have a tty when the pam-session modules are called. Is this intended? Frank For root: Apr 6 09:53:53 garfield2 sshd[16255]: (S 8) Found matching RSA key: ... Apr 6 09:53:53 garfield2 sshd[16255]: pam_log: pam_sm_acct_mgmt Apr 6 09:53:53 garfield2 sshd[16255]: (S 8) Accepted publickey for root from 127.0.0.1 port 47019 Apr 6 09:53:53 garfield2 sshd[16255]: (S 8) channel 0: new: server-session, nchannels open: 1 Apr 6 09:53:53 garfield2 sshd[16255]: pam_log: pam_sm_setcred Apr 6 09:53:53 garfield2 sshd[16257]: pam_log: pam_sm_open_session Apr 6 09:54:03 garfield2 sshd[16257]: pam_log: pam_sm_setcred For regular users: Apr 6 10:14:59 garfield2 sshd[16311]: (S 9) Found matching RSA key: ... Apr 6 10:14:59 garfield2 sshd[16311]: pam_log: pam_sm_acct_mgmt Apr 6 10:14:59 garfield2 sshd[16311]: (S 9) Accepted publickey for frank from 127.0.0.1 port 47023 Apr 6 10:14:59 garfield2 sshd[16314]: pam_log: pam_sm_open_session Apr 6 10:14:59 garfield2 sshd[16314]: pam_log: pam_sm_setcred Apr 6 10:14:59 garfield2 sshd[16314]: (S 9) channel 0: new: server-session, nchannels open: 1
Darren Tucker
2004-Apr-06 08:57 UTC
different PAM/ssh server-session sequences for root and regular users?
Frank Mohr wrote:> I just noticed different sequences of PAM/ssh-session calls. > (env: OpenSSH 3.8p1 on Linux with PAM-0.75) > > The channel 0 (server-session) seems to be startet very early for root > and and after the pam-session is started for regular users. > > As a result, regular users don't have a tty when the pam-session modules > are called. > > Is this intended?The difference is probably PrivilegeSeparation. Do the differences go away if you run sshd with "UsePrivilegeSeparation no" ? From memory, when root logs in there's no privsep process (no point), and for normal users the pty is not allocated (via the monitor) until quite late in the login process (after the PAM session modules run). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.