[Bug 1189] Stacked PAM modules hang root logout

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat May 20 07:43:00 EST 2006


http://bugzilla.mindrot.org/show_bug.cgi?id=1189


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED




------- Comment #8 from dtucker at zip.com.au  2006-05-20 07:42 -------
(In reply to comment #6)
> Additional testing reveals that
> 
> 1) the hang is caused by having the PAM module in question alone
> performing authentication - it doesn't have to be stacked
> 2) non-root users will also hang using pubkey auth if sshd is
> configured without PrivSep
> 3) not all PAM modules exhibit this behavior
> 
> I suppose this bug boils down to one of, if pubkey auth succeeded, why
> would the auth PAM modules be getting touched at all? Even if I have a
> clunky PAM module, I would have thought it wouldn't matter if it is not
> being called for auth.

pam_setcred() uses the auth stack too and that's called regardless of
the ssh authentication method.

> I am about to attach the output of truss -vpoll -f -d on the sshd
> command in question. The hang occurs between the timestamps 15.69 and
> 26.18 (which is where I hit Ctrl-C).
> 
> Thanks in advance for any help or pointers to a clue, if I am
> overlooking something (aside from getting rid of the PAM module in
> question).

Try lsof'ing (or equivalent) the hanging sshd (and/or its shell
subprocess if it still has one).  I suspect that your recalcitrant
module is leaking file descriptors and sshd is waiting for the leaked
desriptor to close.

Excellent bug report, btw :-)




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list