[Bug 839] Privilege Separation + PAM locks users out
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Apr 9 15:18:45 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=839
Summary: Privilege Separation + PAM locks users out
Product: Portable OpenSSH
Version: 3.8p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P1
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: wgrim at siue.edu
I was having a problem all weekend where UsePrivilegeSeparation was on, and
users were being authenticated through PAM modules.
I would continuously get ssh_exchange_identification errors. Generally this is
a hosts.allow/.deny problem. However, after running into this problem 3 times,
I determined this was not the problem.
The problem has to do with something between sshd and PAM during privilege
separation. I was randomly getting several "sshd: <user> [pam]" processes in my
"ps ax" list. When the maximum unauthenticated connetion limit was reached, no
one could login.
Turning privilege separation off seems to remove the problem. It is also
important to make sure ssh* binaries are not setuid root in this case. Use
SELinux or similar if you feel you need more security.
However, I would like privilege separation fixed.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list