2.1.1p2 HP-UX 11 PAM General Commerical Security error
Kevin Steves
stevesk at sweden.hp.com
Sat Jul 8 21:51:58 EST 2000
On Sat, 8 Jul 2000, Damien Miller wrote:
: On Fri, 7 Jul 2000, Kevin Steves wrote:
: > On Mon, 3 Jul 2000, Kevin Steves wrote:
: > > Jul 3 15:19:29 robinson sshd[1293]: PAM rejected by account configuration: [32] General Commercial Security error
:
: > Not much progress made other than I discovered I don't get this error and
: > can log in successfully when running the server in debug mode (i.e.,
: > "sshd -d").
: >
: > Strange. Any ideas?
:
: Some PAM modules fail mysteriously because ssh doesn't always set
: the PAM_TTY. At least one of these (pam_tty) then assumes (stupidly
: IMNSHO) that fd 0 is the tty and tries to use that. This will cause
: failures when sshd is run in daemon mode, but not in debug mode.
:
: Perhaps an strace/truss of the failure would shed some light on it.
I turned on debugging in the pam modules and now see (get_comsec_info
message):
Jul 8 13:36:59 robinson sshd[6045]: get_comsec_info: Cannot obtain database information on this terminal
Jul 8 13:36:59 robinson sshd[6045]: pam_acct_mgmt: error General Commercial Security error
Jul 8 13:36:59 robinson sshd[6045]: PAM rejected by account configuration: [32] General Commercial Security er
ror
It's complaining about the fake PAM_TTY; With this code removed it
works:
#if 0
pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, "ssh");
if (pam_retval != PAM_SUCCESS) {
fatal("PAM set tty failed: [%d] %.200s",
pam_retval,
PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
}
#endif
More information about the openssh-unix-dev
mailing list