[openssh-commits] [openssh] branch master updated: fix state confusion between PAM and privsep code

git+noreply at mindrot.org git+noreply at mindrot.org
Sun Mar 29 16:28:57 AEDT 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

The following commit(s) were added to refs/heads/master by this push:
     new bdaf65ae5 fix state confusion between PAM and privsep code
bdaf65ae5 is described below

commit bdaf65ae51d62c6cb676bd341cc34217c1b24920
Author: Damien Miller <djm at mindrot.org>
AuthorDate: Sun Mar 29 16:24:59 2026 +1100

    fix state confusion between PAM and privsep code
    
    Commits b9a6dd4d6 and df2b28163 introduced a potential desynchronisation
    between the PAM code and the sshd-session monitor that could result in
    authentication bypass if the unprivileged sshd-auth process had been
    compromised.
    
    Reported by Ben Edelman of NIST. Only git HEAD is affected, these
    changes have not yet been included in an OpenSSH release.
---
 auth-pam.c | 8 ++++++++
 auth-pam.h | 1 +
 monitor.c  | 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/auth-pam.c b/auth-pam.c
index 4278a43a9..d2b3c3483 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -1015,6 +1015,14 @@ sshpam_free_ctx(void *ctxtp)
 	 */
 }
 
+int
+sshpam_priv_kbdint_authdone(void *ctxtp)
+{
+	struct pam_ctxt *ctxt = ctxtp;
+
+	return ctxt->pam_done == SshPamAuthenticated;
+}
+
 KbdintDevice sshpam_device = {
 	"pam",
 	sshpam_init_ctx,
diff --git a/auth-pam.h b/auth-pam.h
index c068bc896..491336701 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -42,5 +42,6 @@ int sshpam_auth_passwd(Authctxt *, const char *);
 int sshpam_get_maxtries_reached(void);
 void sshpam_set_maxtries_reached(int);
 int is_pam_session_open(void);
+int sshpam_priv_kbdint_authdone(void *ctxtp);
 
 #endif /* USE_PAM */
diff --git a/monitor.c b/monitor.c
index b722baef5..9d6672bb6 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1204,7 +1204,7 @@ mm_answer_pam_query(struct ssh *ssh, int sock, struct sshbuf *m)
 		fatal_f("no context");
 	ret = (sshpam_device.query)(sshpam_ctxt, &name, &info,
 	    &num, &prompts, &echo_on);
-	if (ret == 0 && num == 0)
+	if (ret == 0 && num == 0 && sshpam_priv_kbdint_authdone(sshpam_ctxt))
 		sshpam_authok = sshpam_ctxt;
 	if (num > 1 || name == NULL || info == NULL)
 		fatal("sshpam_device.query failed");

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list