Displaying 14 results from an estimated 14 matches for "privsep_postauth".
2013 Oct 31
9
[Bug 2167] New: Connection remains when fork() fails.
...t.cgi?id=2368&action=edit
A patch which seems to solve this problem.
I got "sshd[$pid]: fatal: fork of unprivileged child failed" in
/var/log/secure but the connection with ssh client remained.
I examined the cause and found that this problem happens when fork() in
privsep_preauth()/privsep_postauth() fails. You can easily reproduce
this problem by replacing fork() in
privsep_preauth()/privsep_postauth()
with -1.
I don't know what is the right fix, but at least forcibly closing
all sockets before exit() seems to solve this problem.
I'm using RHEL 6.4's openssh-5.3p1-84.1.el6.src....
2002 Jul 15
0
[Bug 354] New: sshd with privsep doesn't do pam session setup properly
...o specify arbitrarily high limits for users
listed. The problem appears to be that do_pam_session is being called after we
drop to the user's uid. Without privsep turned on, this all work, as we drop to
the user's uid after do_pam_session. Specifically: with privsep on,
do_setusercontext in privsep_postauth (sshd.c) is called before do_pam_session
in do_exec_pty (session.c). Without privsep, we only drop root privs in do_child
(session.c), which is after we do_exec_pty, since (obviously) the former
code/call to do_setusercontext is unreached.
A possible (does appear to work, though not properly tested...
2005 May 12
2
Problems with PAM environments in ssh
...auth module
of pam_krb5 is never called by ssh, so it never has a chance to set
KRB5CCNAME.
sshd eventually exports the KRB5CCNAME variable into the PAM environment,
but it doesn?t happen until the ssh_gssapi_krb5_storecred function, which
occurs after the call to do_pam_session is made during the
privsep_postauth process.
Here an outline of the code in the main function of sshd.c that outlines
the problem:
authenticated:
/*
* In privilege separation, we fork another child and prepare
* file descriptor passing.
*/
if (use_privsep) {
/***** eventually calls do_pam_session *******/...
2018 Nov 29
2
Where to implement user limit settings ?
Hello,
I'm trying to implement setting of user limits (ulimit) in sshd. I'm
not using PAM so I need it in the sshd itself. The task is very simple -
just to put one line calling setup_limits(pw); and link with -lshadow.
But the problem is, where to put this line. I did it in session.c,
in do_child(), like this:
#ifdef HAVE_OSF_SIA
session_setup_sia(pw, s->ttyfd == -1 ? NULL
2003 Jul 06
10
[Bug 585] sshd core dumping on IRIX 6.5.18 with VerifyReverseMapping enabled
http://bugzilla.mindrot.org/show_bug.cgi?id=585
------- Additional Comments From dtucker at zip.com.au 2003-07-07 00:32 -------
dmalloc (http://dmalloc.com/) claims to work on IRIX. It's likely to increase
the CPU and memory load, though.
I've built with dmalloc on Linux thusly:
LDFLAGS=-ldmalloc ./configure && make
eval `dmalloc -l /path/to/log high`
./sshd [options]
2008 Dec 02
0
SSHD does not cleanup kerberos ticket while root logins
...bug for me, but I'd like to ask if someone has the same
problem. We are using OpenSSH 4.3p2 from Debian 4.0 (stable), but the
same problem is with original OpenSSH 4.3p2. When root logins with his
kerberos ticket and then logout, his ticket remains on the machine. I
found in source (sshd.c) in privsep_postauth function, that if root
logins then use_privsep is set to 0 and call of function
do_setusercontext is skipped. But the function do_setusercontext calls
ssh_gssapi_storecreds where structure client->store.filename is filled
with the filename of kerberos ticket. So then if
ssh_gssapi_cleanup_creds...
2005 Apr 07
4
[Bug 1011] Multiple log entries for successful pubkey authentication
http://bugzilla.mindrot.org/show_bug.cgi?id=1011
Summary: Multiple log entries for successful pubkey
authentication
Product: Portable OpenSSH
Version: 4.0p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at
2011 Jun 02
2
preauth privsep logging via monitor
...eturn (1);
} else {
/* child */
-
close(pmonitor->m_sendfd);
+ close(pmonitor->m_log_recvfd);
+
+ /* Arrange for logging to be sent to the monitor */
+ set_log_handler(mm_log_handler, pmonitor);
/* Demote the child */
if (getuid() == 0 || geteuid() == 0)
@@ -685,7 +686,6 @@ privsep_postauth(Authctxt *authctxt)
fatal("fork of unprivileged child failed");
else if (pmonitor->m_pid != 0) {
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
- close(pmonitor->m_recvfd);
buffer_clear(&loginmsg);
monitor_child_postauth(pmonitor);
@@ -...
2003 May 22
1
sshd crashing on IRIX (3.6.1p1)
...cc]
9 monitor_read(pmonitor = 0x10152650, ent = 0x10137750, pent =
(nil)) ["/usr/local/src/security/openssh-3.6.1p1/monitor.c":371, 0x10040ef4]
10 monitor_child_postauth(pmonitor = 0x10152650)
["/usr/local/src/security/openssh-3.6.1p1/monitor.c":334, 0x10040d4c]
11 privsep_postauth(authctxt = 0x10151560)
["/usr/local/src/security/openssh-3.6.1p1/sshd.c":665, 0x10025f18]
12 main(ac = 1, av = 0x7fff2fa4)
["/usr/local/src/security/openssh-3.6.1p1/sshd.c":1533, 0x10028a28]
13 __start()
["/xlv55/kudzu-apr12/work/irix/lib/libc/libc_n32_M4/csu/crt...
2017 Feb 20
3
[Bug 2681] New: postauth processes to log via monitor
...rally in chroot).
How does it work?
We are trying to solve this problem on two fronts:
- In do_child, we check if the /dev/log is available in the chroot and
if not, we "leak the FD" to the internal-sftp process. We also postpone
the closefrom() call after the internal-sftp call.
- In privsep_postauth(), we have the same check (it could be probably
written more nicely) which takes care of setting up log FDs going
through the monitor.
The idea is that this change should not modify behavior of the existing
setup in case the /dev/log is available in chroot.
Originally posted in on the mailing li...
2008 Apr 21
3
FIPS 140-2 OpenSSL(2007) patches
Hi,
I am happy to (re)send a set of patches for compiling OpenSSH 4.7p1 with
FIPS 140-2 OpenSSL.
These are based on previously reported patches by Steve Marquess
<marquess at ieee.org> and Ben Laurie <ben at algroup.co.uk>,
for ver. OpenSSH 3.8.
Note that these patches are NOT OFFICIAL, and MAY be used freely by
anyone.
Issues [partially] handled:
SSL FIPS Self test.
RC4,
2006 Jan 08
3
Allow --without-privsep build.
...exit. */
fatal("Timeout before authentication for %s", get_remote_ipaddr());
}
@@ -536,6 +539,7 @@ demote_sensitive_data(void)
/* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */
}
+#ifdef USE_PRIVSEP
static void
privsep_preauth_child(void)
{
@@ -678,6 +682,7 @@ privsep_postauth(Authctxt *authctxt)
*/
packet_set_authenticated();
}
+#endif /* USE_PRIVSEP */
static char *
list_hostkey_types(void)
@@ -1691,10 +1696,11 @@ main(int ac, char **av)
/* prepare buffer to collect messages to display to user after login */
buffer_init(&loginmsg);
+#ifdef USE_PRIVS...
2003 Jun 03
15
[Bug 585] sshd core dumping on IRIX 6.5.18 with VerifyReverseMapping enabled
http://bugzilla.mindrot.org/show_bug.cgi?id=585
Summary: sshd core dumping on IRIX 6.5.18 with
VerifyReverseMapping enabled
Product: Portable OpenSSH
Version: -current
Platform: MIPS
OS/Version: IRIX
Status: NEW
Severity: major
Priority: P2
Component: sshd
AssignedTo:
2013 Jun 25
1
RFC: encrypted hostkeys patch
...>m_pid = pid;
if (box != NULL)
ssh_sandbox_parent_preauth(box, pid);
monitor_child_preauth(authctxt, pmonitor);
+ if (auth_conn) {
+ ssh_close_authentication_connection(auth_conn);
+ auth_conn = NULL;
+ }
+
/* Sync memory */
monitor_sync(pmonitor);
@@ -704,10 +716,11 @@ privsep_postauth(Authctxt *authctxt)
u_int32_t rnd[256];
#ifdef DISABLE_FD_PASSING
- if (1) {
+ if (1)
#else
- if (authctxt->pw->pw_uid == 0 || options.use_login) {
+ if (authctxt->pw->pw_uid == 0 || options.use_login)
#endif
+ {
/* File descriptor passing is broken or root login */
use_pri...