search for: sshpam_cleanup

Hello, I would like to use PAM. All PAM interaction worked well with openssh-3.5 Now that I have tried to upgrade to 3.7.1p1/p2 the pam_close_session() function won't get invoked. Some debugging shows, that the call is protected by an if-statement (module auth-pam.c, function sshpam_cleanup): if (sshpam_session_open) { pam_close_session(sshpam_handle, PAM_SILENT); /* cb, 26.09.03 */ debug2("\n\nin sshpam_cleanup: mypid = %d\n\n", getpid()); sshpam_session_open = 0; } I guess that the forked child process that calls the sshpam_cleanup() function is forked befor...

...sing a proprietary PAM module for my Authentication. When the root user logs out, it throws a message "pam_setcred : Pemission denied" in syslog. The PAM engineer told me that the module can't delete root users credentials. Instead he is asking me to skip the call pam_setcred() in sshpam_cleanup() in auth-pam.c for root user. Is this is the right way? Is there any impact with this? Thanks, Senthil Kumar.

...e session,the cache file corresponding to the nonpriv process is not removed. $ ll /tmp/krb5cc* -rw------- 1 test users 416 Oct 20 14:03 /tmp/krb5cc_243_245 I have tested this on hpux but believe the same behaviour on other OS as well. Probable fix is to change the condition in sshpam_cleanup(void)/auth-pam.c < if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) --- > if (sshpam_handle == NULL && (use_privsep && !mm_is_monitor())) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving...

http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Summary: pam_end() is not called if authentication fails, which breaks pam-abl Product: Portable OpenSSH Version: 4.6p1 Platform: Other URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405041 OS/Version: Linux Status: NEW Severity:

...sion: All Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy: dtucker at zip.com.au Reported by Dr. Carsten Benecke: "I guess that the forked child process that calls the sshpam_cleanup() function is forked before the parent calls do_pam_session() (which sets sshpam_session_open to true)." and Chris Jensen: "But when I exit the session, pam_sm_close_session gets called, but it only runs as the user that was logged in, so it doesn't have permission to unmount the d...

...something and then invokes bash by execve. So in this moment child child process was destroyed by bash and sshpam_session_open variable was lost but it should be remembered elsewhere: in parent, than it would be possible to retrieve info that session was opened and must be closed what is checked in sshpam_cleanup. So in efect I am not able to use logout script because sshd never knows that pam session was created Could you help me with that? Maybe configuration of sshd should be different that fork is not executed. I use openssh 4.2p1-5 of Debian Sid. Regards Micha? Nowikowski

Openssh 5.0p1 on HPUX 11.23. Here is the message: Jun 15 13:21:28 a300sua0 sshd[10798]: pam_setcred: error Permission denied See http://www.docs.hp.com/en/T1471-90033/ch01s06.html We track the issue to sshpam_cleanup() which resets the conversation function pointer to sshpam_null_conv() before calling pam_setcred with PAM_DELETE_CRED. sshpam_null_conv() always just returns PAM_CONV_ERR. It seems HPUX PAM module then decided to call the conversation function (not sure why), and gets this error. Is it possible/...

...ebug3: ssh_msg_recv entering debug3: mm_request_send entering: type 51 debug3: mm_request_receive entering - debug1: do_cleanup fatal: PAM: authentication thread exited unexpectedly debug1: do_cleanup + debug1: PAM: cleanup + debug3: PAM: sshpam_thread_cleanup entering It looks to me as if sshpam_cleanup() and sshpam_thread_cleanup() aren't getting called under all circumstances when they should be, and that the result of this is that the [pam] threads lie around forever until they choke the server. Yet do_cleanup() *is* getting called. Since I believe that neither KRB5 nor GSSAPI is compiled i...

...38,7 +301,7 @@ auth_fail: buffer_put_cstring(&buffer, - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); buffer_free(&buffer); pthread_exit(NULL); @@ -274,20 +337,31 @@ sshpam_cleanup(void) { debug("PAM: cleanup"); - if (sshpam_handle == NULL) - return; - pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); - if (sshpam_cred_established) { - pam_setcred(sshpam_handle, PAM_DELETE_CRED); - sshpam_cred_established = 0; - } - if (sshpam_session_open)...

...said, I'm not on this mailing list (although I tried to be), so I sure would appreciate being CCed on any responses. L8r, tg. --- openssh.original/BUILD/openssh-3.9p1/auth-pam.c Mon Aug 16 09:12:06 2004 +++ openssh/BUILD/openssh-3.9p1/auth-pam.c Mon Sep 13 08:35:36 2004 @@ -756,27 +756,6 @@ sshpam_cleanup(); } -u_int -do_pam_account(void) -{ - if (sshpam_account_status != -1) - return (sshpam_account_status); - - sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); - - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW...