search for: pam_delete_cred

As has often been mentioned, Solaris (at least 7 and 8) gives a debug1 message on logout: Cannot delete credentials. This occurs when in auth-pam.c, function do_pam_cleanup_proc(), pam_setcred(__pamh, PAM_DELETE_CRED) is called under UID 0. I suggested a patch for this on Nov 22, 2001, based on openssh 2.9.9p2 through 3.0.1p1. [The attempt in my patch to reset to UID 0 by "if (!flag) setuid(0);" does not actually work but seems not to be required.] Now in 3.4p1 with privilege separation, I found this...

In do_pam_cleanup_proc(), there are 3 calls to PAM: 1) pam_close_session() - do lastlog stuff 2) pam_setcred(PAM_DELETE_CRED) - delete credentials 3) pam_end() - close PAM It appears that pam_setcred() always fails with the error PAM_PERM_DENIED. This is due to a check done pam_unix.so to not allow a caller with euid 0 to even try to delete their SECURE_RPC credentials. When sshd calls pam_setcred() to delete the cred...

The 2 errors: pam_setcred: error Permission denied Cannot delete credentials[7]: Permission denied Looks to be a major bug in the PAM module for Solaris-2.8/2.7/2.6. Has anyone from the list (developers of OpenSSH, endusers, hackers, etc.) came up w/ a solution? Even a temporary one? When authenticating yourself on the same system that worked, but when authenticating to another system failed. I

...e_t *)pamh, 0); + pam_retval = pam_close_session(pamh, 0); if (pam_retval != PAM_SUCCESS) { log("Cannot close PAM session: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } - pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); + pam_retval = pam_setcred(pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) { debug("Cannot delete credentials: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } - pam_retval = pam_end((pam_handle_t *)pamh, pam_re...

...reate a user-owned ccache *before* the account >management part of PAM has been called and suceeded?? Because you are supposed to call pam functions in this order: pam_start(pamh,...); pam_authenticate(pamh, ...); pam_acct_mgmt(pamh, pam_setcred(pamh, PAM_ESTABLISH_CRED) ... pam_setcred(pamh, PAM_DELETE_CRED); pam_end(pamh); This is quite clear from the Solaris man page for pam_setcred(3pam) " The pam_setcred() function is used to establish, modify, or delete user credentials. It is typically called after the user has been authenticated and after a session has been ope...

...ain (argc=1, argv=0x7bff0164) at scp.c:328 So we're blocked in read() on fd 0 for some reason. The file transfer does complete. Another issue is we get this message from sshd when logging out: May 23 13:22:16 robinson sshd[14075]: Cannot delete credentials: Permission denied So pam_setcred(PAM_DELETE_CRED) isn't working.

....23. Here is the message: Jun 15 13:21:28 a300sua0 sshd[10798]: pam_setcred: error Permission denied See http://www.docs.hp.com/en/T1471-90033/ch01s06.html We track the issue to sshpam_cleanup() which resets the conversation function pointer to sshpam_null_conv() before calling pam_setcred with PAM_DELETE_CRED. sshpam_null_conv() always just returns PAM_CONV_ERR. It seems HPUX PAM module then decided to call the conversation function (not sure why), and gets this error. Is it possible/advisable to (maybe use #ifdef) move the pam_set_item call to after the pam_setcred block? Thanks Leo Liou Not a shred...

...ct pam_response **resp, void *appdata_ptr); @@ -186,12 +184,15 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */ +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#endif if (__pamh) { pam_retval = pam_end(__pamh, pam_retval); @@ -256,10 +257,8 @@ case PAM_SUCCESS: /* This is what we want *...

...38,349 ---- /* Function replacement / compatibility hacks */ /* In older versions of libpam, pam_strerror takes a single argument */ + /* Older versions of PAM (1.10) don't define some symbols the same way */ #ifdef HAVE_OLD_PAM # define PAM_STRERROR(a,b) pam_strerror((b)) + # define PAM_DELETE_CRED PAM_CRED_DELETE + # define PAM_ESTABLISH_CRED PAM_CRED_ESTABLISH + # define PAM_NEW_AUTHTOK_REQD PAM_AUTHTOKEN_REQD #else # define PAM_STRERROR(a,b) pam_strerror((a),(b)) #endif *** fake-getnameinfo.c.orig Fri Sep 29 00:59:14 2000 --- fake-getnameinfo.c Mon Jan 22 16:19:39 2001 **************...

...er_free(&buffer); pthread_exit(NULL); @@ -274,20 +337,31 @@ sshpam_cleanup(void) { debug("PAM: cleanup"); - if (sshpam_handle == NULL) - return; - pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); - if (sshpam_cred_established) { - pam_setcred(sshpam_handle, PAM_DELETE_CRED); - sshpam_cred_established = 0; - } - if (sshpam_session_open) { - pam_close_session(sshpam_handle, PAM_SILENT); - sshpam_session_open = 0; - } - sshpam_authenticated = sshpam_new_authtok_reqd = 0; - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + if (grab_pamh(0, NULL) != NULL) {...

...ar *remote_user); void do_pam_session(char *username, char *ttyname); +void do_pam_setcred(); void pam_cleanup_proc(void *context); static struct pam_conv conv = { @@ -230,6 +231,12 @@ PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } + pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); + if (pam_retval != PAM_SUCCESS) { + log("Cannot delete credentials: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); if (pam_retval != PAM_SUCCESS) { log("Cannot release PAM authentication: %...

...ain (argc=1, argv=0x7bff0164) at scp.c:328 So we're blocked in read() on fd 0 for some reason. The file transfer does complete. Another issue is we get this message from sshd when logging out: May 23 13:22:16 robinson sshd[14075]: Cannot delete credentials: Permission denied So pam_setcred(PAM_DELETE_CRED) isn't working. -------------- next part -------------- A non-text attachment was scrubbed... Name: att1.eml Type: application/octet-stream Size: 3401 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000703/3ff8d57b/attachment.obj

...-3.5p1a/auth-pam.c --- openssh-3.5p1/auth-pam.c Sun Jul 28 22:24:08 2002 +++ openssh-3.5p1a/auth-pam.c Wed Oct 16 15:00:01 2002 @@ -186,12 +186,14 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#endif if (__pamh) { pam_retval = pam_end(__pamh, pam_retval); @@ -299,6 +301,18 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval...

...ials | | v v pam_close_session setuid/gid to authenticated user | | v v pam_setcred call to cleanup credentials exec shell/command | v pam_end But this requires that pam_setcred( pamh, PAM_ESTABLISH_CRED) and pam_setcred( pamh, PAM_DELETE_CRED ) can be called in different processes. If this is not the case i don't know of a way to ever implement resource limit settings in a reliable way. --

Trying 2.1.1p2 on HP-UX 11 (trusted system) I get: Jul 3 14:24:53 robinson sshd[1236]: debug: Encryption type: 3des Jul 3 14:24:53 robinson sshd[1236]: debug: Received session key; encryption turned on. Jul 3 14:24:53 robinson sshd[1236]: debug: Installing crc compensation attack detector. Jul 3 14:24:53 robinson sshd[1236]: debug: Starting up PAM with username "stevesk" Jul 3

...ct pam_response **resp, void *appdata_ptr); @@ -186,12 +184,15 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */ +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#endif if (__pamh) { pam_retval = pam_end(__pamh, pam_retval); @@ -256,10 +257,8 @@ case PAM_SUCCESS: /* This is what we want *...

>Neither the Sun PAM documentation nor the Linux-PAM documentation >describe the semantics of PAM_REINITIALIZE_CREDS in any useful detail. I would agree it is vague, but then that is also a problem with the XSSO document (http://www.opengroup.org/onlinepubs/008329799/) >Could we please have a clarification on the semantics of >PAM_CRED_ESTABLISH vs. the semantics of