[Bug 3210] New: Confusing errors when pam_acct_mgmt() fails

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Sep 8 21:18:20 AEST 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3210

            Bug ID: 3210
           Summary: Confusing errors when pam_acct_mgmt() fails
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 3445
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3445&action=edit
pam: Correctly handle errors from pam_acct_mgmt

The fix for a bug #1188 introduced an unconditional override of return
value from pam_acct_mgmt(), setting PAM_ACCT_EXPIRED on any error from
account step.

It could have been 15 years ago, when there were not any other reasons
why this function could fail, but these days, there are at least
PAM_USER_UNKNOWN and PAM_PERM_DENIED (from Fedora 32 man pages). In
these cases, openssh goes into unexpected code paths giving confusing
error messages, such as:

pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0
tty=ssh ruser= rhost=client user=useruser
debug1: do_pam_account: called
pam_sss(sshd:account): Access denied for user useruser: 6 (Permission
denied)
debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
debug3: ssh_msg_send: type 13
debug3: PAM: User account has expired
error: PAM: User account has expired for useruser from client

As far as I read that, I do not see any recovery from either of these
errors worth retrying so I believe we should be fine handling them the
same as expired account though.

The attached is proposed patch, which should handle this use case as
well as the original issue in #1188. Tested in Fedora 32 with
pam_debug.so with respective return values as well as with expired
user.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list