[Bug 839] Privilege Separation + PAM locks users out

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Apr 9 15:18:45 EST 2004


http://bugzilla.mindrot.org/show_bug.cgi?id=839

           Summary: Privilege Separation + PAM locks users out
           Product: Portable OpenSSH
           Version: 3.8p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: critical
          Priority: P1
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: wgrim at siue.edu


I was having a problem all weekend where UsePrivilegeSeparation was on, and
users were being authenticated through PAM modules.

I would continuously get ssh_exchange_identification errors.  Generally this is
a hosts.allow/.deny problem.  However, after running into this problem 3 times,
I determined this was not the problem.

The problem has to do with something between sshd and PAM during privilege
separation.  I was randomly getting several "sshd: <user> [pam]" processes in my
"ps ax" list.  When the maximum unauthenticated connetion limit was reached, no
one could login.

Turning privilege separation off seems to remove the problem.  It is also
important to make sure ssh* binaries are not setuid root in this case.  Use
SELinux or similar if you feel you need more security.

However, I would like privilege separation fixed.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list