[Bug 1339] New: pam_dhkeys doesn't work ( PAM_REINITIALIZE_CRED without PAM_ESTABLISH_CRED)

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Jul 13 23:25:54 EST 2007


http://bugzilla.mindrot.org/show_bug.cgi?id=1339

           Summary: pam_dhkeys doesn't work (PAM_REINITIALIZE_CRED without
                    PAM_ESTABLISH_CRED)
           Product: Portable OpenSSH
           Version: 4.6p1
          Platform: Sparc
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: David.Leonard at quest.com


This bug is a consequence of the fix applied in bug 789.

When using keyboard-interactive to login through OpenSSH to a Solaris 8
NIS+/PAM host, the automatic 'keylogin' feature of the pam_dhkeys PAM
module disappears. It's not so bad; the workaround is to run keylogin
manually once at a shell.

    debug3: PAM: opening session
    debug1: PAM: reinitializing credentials

The cause seems to be that the pam_dhkeys.so module ignores the
PAM_REINITIALIZE_CRED flag passed by OpenSSH to pam_setcred(). If I
make it pass PAM_ESTABLISH_CRED instead, then it works fine.

The PAM_REINITIALIZE_CRED feature was added to fix when initgroups()
stomped on when pam_setcred() had already been called from early on in
do_exec_[no]_pty():

date: 2001-03-27 16:12:24 +1000;  author: djm;  state: Exp;  lines: +4
-3;
 - (djm) Reestablish PAM credentials (which can be supplemental group
   memberships) after initgroups() blows them away. Report and
suggested
   fix from Nalin Dahyabhai <nalin at redhat.com>

But, the early call to pam_setcred() was later disabled in bug 789 to
make linux pam_group.so work.

There seems to be much confusion over the purpose of pam_setcred(), but
I think it is safe to say that openssh should call setcred(ESTABLISH)
instead of setcred(REINITIALIZE) if setcred(ESTABLISH) has never been
called before.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list