2.5.1p1 on Redhat Linux 6.2 using PAM does not log closing of session
Damien Miller
djm at mindrot.org
Wed Feb 28 08:36:04 EST 2001
On Tue, 27 Feb 2001, Pekka Savola wrote:
> Looking at this, this looks like to be a real issue. Rather important as
> well.
>
> in auth-pam.c, when do_pam_session (the same problem is with
> do_pam_setcred), session_opened is set to 1 (tested with debugging).
>
> However, when the session closes, in do_pam_cleanup_proc:
>
> if (__pamh && session_opened) {
> pam_retval = pam_close_session(__pamh, 0);
> if (pam_retval != PAM_SUCCESS)
> log("Cannot close PAM session[%d]: %.200s",
> pam_retval, PAM_STRERROR(__pamh, pam_retval));
> }
>
> this check doesn't match; session_opened is still 0 and if (__pamh) is
> used instead.
I see - It is getting set in the child rather than the parent.
I can't see how we can work around this. Basically we do a
fork()
pam_session()
setuid()
exec()
If we change back to
pam_session()
fork()
setuid()
exec()
Then things like pam_limits.so set limits for the ssh server process
rather than the child.
-d
--
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org / distributed filesystem'' - Dan Geer
More information about the openssh-unix-dev
mailing list