Reporting back on Sol2.6 and Sol8 with Openssh3.0p1 + PAM

[Ed Phillips]

On 8 Nov 2001, Scott Burch wrote:

> Date: 08 Nov 2001 23:48:34 -0500
> From: Scott Burch <scott.burch at camberwind.com>
> To: Mark D. Baushke <mdb at juniper.net>
> Cc: Ed Phillips <ed at UDel.Edu>,
>      "Dost,     Alexander" <Alexander.Dost at drkw.com>,
>      OpenSSH Development <openssh-unix-dev at mindrot.org>
> Subject: Reporting back on Sol2.6 and Sol8 with Openssh3.0p1 + PAM
>
> Hello,
>
> I sucessfully built OpenSSH 3.0p1 on Solaris 2.6 (however PAM and
> password aging does not work on 2.6, but it does work on Solaris
> 8...details are provided below) today with Sun's Forte 6 Update 2. I
> made sure all the latest linker patches and Forte patches were applied
> as well as any c/c++ library patches were applied. I also applied the
> latest  patch.
>
> Details on patches:
>
>
> Patch-ID# 106271-08
> Keywords: security pam_unix.so.1 csh umask nispasswd Passwd_compat
> Synopsis: SunOS 5.6: /usr/lib/security/pam_unix.so.1 patch
> Date: Sep/17/2001
>
> Patch-ID# 111685-02
> Keywords: C++ 5.3 CC 5.3 WS6U2
> Synopsis: C++ 5.3: Patch for Forte Developer 6 update 2 C++ compiler
> Date: Oct/01/2001
>
> Patch-ID# 111678-04
> Keywords: common compiler backend iropt cg libmtsk WS6U2
> Synopsis: Compiler Common 6.2: Patch Forte Developer 6 update 2, C++ F77
> F95
> Date: Oct/01/2001
>
> Compile Options other than --with-pam:
>
> --disable-suid-ssh
> --without-rsh
> --with-prngd-socket
> --with-tcp-wrappers
>
> On Solaris 8 I compiled with the same options.
>
> I created two local accounts on the two servers running OpenSSH 3.0p1.
> I set the password on both accounts and did a passwd -f to expire the
> passwords. We are required now to enable and enforce password aging
> where I work, so this will need to work.
>
> When I login to the Solaris 8 server I get the message that my
> password has expired and I am asked to enter my login password. I
> enter the login password and things work great!

Me too.

It's wierd because I thought 106271-08 would fix this on Sol2.6 too... but
it doesn't.  So I'm wondering if the corresponding "passwd -f doesn't
work" patch on Sol8 isn't fixing this problem on Sol8 either, but it's
something else entirely... nah... couldn't be.  Must be a difference in
pam_unix.so between 2.6 and 8?

> On Solaris 2.6 I get the same message to enter my login password, but
> after entering a new password I get the following:
>
> "Removing root credentials would break the rpc services that use secure
> rpc on this host! Root may use key logout -f to do this (at your own
> risk)!" I am then disconnected.

I have reproduced this.  The problem with the creds is a completely
separate bug that seems to occur with sshd/PAM on Solaris and is caused by
the following scenario:

1) pam_unix.so uses the effective uid to decide whose creds to delete (if
it's uid=0, it gives the error messages - and with openssh it's uid=0)

2) sshd doesn't call seteuid() to change to the user before deleting creds

Some people have said that pam_unix.so should use PAM_USER to determine
whose creds to delete (and it's therefore a bug in PAM on Solaris)... but
others have noted that Sun has made pam_unix.so work like this from the
start.  Noone who knows the PAM standard backwards and forwards has
commented to say how pam_sm_setcred(PAM_DELETE_CREDS) is SUPPOSED to
determine the user whose creds need to be deleted.

> (Now I can duplicate this activity on Solaris 8 if I am another user on
> one host and connect via ssh to the Solaris 8 box running ssh 3.0p1 as
> the user whose password has expired (ssh -l). I presume this is
> normal..password changing for the user with an expired password only
> works if you are connecting as that user from the remote host?)

Changing expired passwords on Sol8 works for me with the recommended
patches.  But Alexander has seen the same "close the connection"  problem
with expired passwords on Sol8 which he reported yesterday - he didn't
tell me yet if he has the "passwd -f doesn't work" patch installed on his
Sol8 box, tho'.  I'd guess he doesn't have it yet.  Has anyone tried to
reproduce this on a Sol8 box with the "passwd -f doesn't work" patch
removed - just to see if it's really fixing THIS particular problem or if
it's just coincidence that this works on Sol8 but not on Sol2.6?

Due the the error returned by pam_sm_chauthtok (it returns -1) in
pam_unix.so , I think it's a pam_unix.so bug, but I can't be certain
without discussing Sol8 source in detail, which I'm not sure is allowed by
my source agreement. Darren, can I discuss this with you directly so I can
make direct references to the Sol8 source?  Maybe you could tell me how
the patched up version of pam_unix.so source differs from Sol8 FCS (like,
whether this -1 return code thing is in one of the fixes) - that would
probably rule-in or rule-out my suspicions pretty quickly...

Isn't Sol8 "open-source" now (maybe only in the sense that you can do what
you want with it except sell it) or was that just pipe dream...?

> I did not do anything with /etc/pam.conf on either host..I am using the
> default that came with the system.

That should be fine - pam_unix.so is set up to do be the default for every
service.

> So, it appears that password aging and pam do not get along on Solaris
> 2.6 even with the latest patch? I'll take a closer look at things when I
> get in tomorrow morning. If you need further information, want debugger
> output...I am willing to compile with debugging, etc.

I'm not sure debugging (-g) in sshd would help more than when we just run
it with LogLevel DEBUG3, making sure /etc/pam_debug exists, and putting
the debug option on the pam.conf entries from "other".  The problem exists
somewhere in pam_unix.so - and it's the culprit that is return a -1 error
back to sshd (which according to the man pages, can't happen ;-). It would
be nice however to recompile pam_unix.so.1 with some extra logging stuck
in... ;-)

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key