Solaris and a minor PAM *problem*

Will Day willday at rom.oit.gatech.edu
Fri Aug 11 06:56:14 EST 2000 

A short time ago, at a computer terminal far, far away, Andrew Morgan wrote:
>> Closing connection to n.n.n.n
>> Cannot delete credentials: Permission denied
>>                            ^^^^^^^^^^^^^^^^^
>> Why do I get this *Permission denied* ???
>> 
>> The error is generated in auth-pam.c:
>>    pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED);
>>         if (pam_retval != PAM_SUCCESS) {
>>             log("Cannot delete credentials: %.200s",
>>                 PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
>>         }
>> i.e. the return value from pam_setcred isn't PAM_SUCCESS.
>
>This is likely to be a misfeature of the Solaris implementation of the
>pam_unix.so module. I don't believe it is indicative of anything other
>than the fact that pam_unix.so does not implement credential deletion.
>(In other words, if you don't hear differently from someone at Sun - who
>knows for definite what their pam_unix does? - I don't believe you need
>to worry about this error.)

I've just been looking through the sourcecode, and it seems the error is
generated by Sun's pam_unix because geteuid()==0, with sshd running as
root.  It also hands a three-part error message to the conversation
function:

   removing root credentials would break the rpc services that
   use secure rpc on this host!
   root may use keylogout -f to do this (at your own risk)!

Openssh doesn't ever print this, though, as its conv function handles only
PAM_PROMPT_ECHO_OFF and PAM_TEXT_INFO, and this is PAM_ERROR_MSG.

A few thoughts that come to mind:

 - ifdef the PAM_DELETE_CRED out for Solaris?  For default sites, this
   would be fine, and would remove the superfluous error messages.  For
   sites actually using secureRPC/keylogin, or for sites using pam modules
   other than pam_unix which might need to delete their creds, it could
   cause problems.

   Personally, I wonder why pam_unix is looking at geteuid rather than the
   actual username/uid for the pam session, but I don't understand enough
   about secure RPC to guess why this might be an issue.

 - handle PAM_ERROR_MSG in pamconv()

 - output any remaining pam_msg before ending a session (to the user? to
   the syslog?); right now, pam_msg is only ever output at login.

-- 
Will Day     <PGP mail preferred>     OIT / O&E / Technical Support
willday at rom.oit.gatech.edu            Georgia Tech, Atlanta 30332-0715
  -> Opinions expressed are mine alone and do not reflect OIT policy <-
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    Benjamin Franklin, Pennsylvania Assembly, Nov. 11, 1755
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 360 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000810/beb1a592/attachment.bin

More information about the openssh-unix-dev mailing list