Reporting back on Sol2.6 and Sol8 with Openssh3.0p1 + PAM

Scott Burch scott.burch at camberwind.com
Sat Nov 10 03:24:31 EST 2001


Ed,

See below....Actually since yesterday I built everything on Solaris 2.6...I
wasn't paying much attention to all the patches on my 8 box. It turns out I
do not have the 111659-02 patch (pam_unix.so.1 patch) or any previous
version of this patch on my Solaris 8 compile box; so the patch is not what
allows pam and expired passwords to work with OpenSSH...something else must
be doing this. I am going to send a separate email to you with two attached
html files containing all the patches on both boxes (output from Sun's Patch
Check Tool..available on SunSolve. In summary, people have been misled into
believing that the pam patch is what allows this to work. In any case my 2.6
compiled OpenSSH works fine on Solaris 8 and I can login via OpenSSH to an
account that has an expired password and successfully update the password
without being disconnected. Hopefully we all can get to the bottom of this.
It is difficult to determine differences in systems without detailed info on
all installed patches....which can be painful to obtain (however the Patch
Check tool does a fairly decent job).

Other things:

On the Solaris 2.6 compile system which contains all the latest recommended
patches, plus the latest PAM patch and various other patches I have applied,
accounts that have had passwd -f run on them do allow users to login in and
change their expired passwords without trouble....it only doesn't work via
OpenSSH 3.0p1.

-Scott


----- Original Message -----
From: "Ed Phillips" <ed at UDel.Edu>
To: "Scott Burch" <scott.burch at camberwind.com>
Cc: "Mark D. Baushke" <mdb at juniper.net>; "Dost, Alexander"
<Alexander.Dost at drkw.com>; "OpenSSH Development"
<openssh-unix-dev at mindrot.org>
Sent: Friday, November 09, 2001 9:59 AM
Subject: Re: Reporting back on Sol2.6 and Sol8 with Openssh3.0p1 + PAM


> Me too.
>
> It's wierd because I thought 106271-08 would fix this on Sol2.6 too... but
> it doesn't.  So I'm wondering if the corresponding "passwd -f doesn't
> work" patch on Sol8 isn't fixing this problem on Sol8 either, but it's
> something else entirely... nah... couldn't be.  Must be a difference in
> pam_unix.so between 2.6 and 8?
>
> > On Solaris 2.6 I get the same message to enter my login password, but
> > after entering a new password I get the following:
> >
> > "Removing root credentials would break the rpc services that use secure
> > rpc on this host! Root may use key logout -f to do this (at your own
> > risk)!" I am then disconnected.
>
> I have reproduced this.  The problem with the creds is a completely
> separate bug that seems to occur with sshd/PAM on Solaris and is caused by
> the following scenario:
>
> 1) pam_unix.so uses the effective uid to decide whose creds to delete (if
> it's uid=0, it gives the error messages - and with openssh it's uid=0)
>
> 2) sshd doesn't call seteuid() to change to the user before deleting creds
>
> Some people have said that pam_unix.so should use PAM_USER to determine
> whose creds to delete (and it's therefore a bug in PAM on Solaris)... but
> others have noted that Sun has made pam_unix.so work like this from the
> start.  Noone who knows the PAM standard backwards and forwards has
> commented to say how pam_sm_setcred(PAM_DELETE_CREDS) is SUPPOSED to
> determine the user whose creds need to be deleted.
>
> > (Now I can duplicate this activity on Solaris 8 if I am another user on
> > one host and connect via ssh to the Solaris 8 box running ssh 3.0p1 as
> > the user whose password has expired (ssh -l). I presume this is
> > normal..password changing for the user with an expired password only
> > works if you are connecting as that user from the remote host?)
>
> Changing expired passwords on Sol8 works for me with the recommended
> patches.  But Alexander has seen the same "close the connection"  problem
> with expired passwords on Sol8 which he reported yesterday - he didn't
> tell me yet if he has the "passwd -f doesn't work" patch installed on his
> Sol8 box, tho'.  I'd guess he doesn't have it yet.  Has anyone tried to
> reproduce this on a Sol8 box with the "passwd -f doesn't work" patch
> removed - just to see if it's really fixing THIS particular problem or if
> it's just coincidence that this works on Sol8 but not on Sol2.6?
>
> Due the the error returned by pam_sm_chauthtok (it returns -1) in
> pam_unix.so , I think it's a pam_unix.so bug, but I can't be certain
> without discussing Sol8 source in detail, which I'm not sure is allowed by
> my source agreement. Darren, can I discuss this with you directly so I can
> make direct references to the Sol8 source?  Maybe you could tell me how
> the patched up version of pam_unix.so source differs from Sol8 FCS (like,
> whether this -1 return code thing is in one of the fixes) - that would
> probably rule-in or rule-out my suspicions pretty quickly...
>
> Isn't Sol8 "open-source" now (maybe only in the sense that you can do what
> you want with it except sell it) or was that just pipe dream...?
>
> > I did not do anything with /etc/pam.conf on either host..I am using the
> > default that came with the system.
>
> That should be fine - pam_unix.so is set up to do be the default for every
> service.
>
> > So, it appears that password aging and pam do not get along on Solaris
> > 2.6 even with the latest patch? I'll take a closer look at things when I
> > get in tomorrow morning. If you need further information, want debugger
> > output...I am willing to compile with debugging, etc.
>
> I'm not sure debugging (-g) in sshd would help more than when we just run
> it with LogLevel DEBUG3, making sure /etc/pam_debug exists, and putting
> the debug option on the pam.conf entries from "other".  The problem exists
> somewhere in pam_unix.so - and it's the culprit that is return a -1 error
> back to sshd (which according to the man pages, can't happen ;-). It would
> be nice however to recompile pam_unix.so.1 with some extra logging stuck
> in... ;-)
>
> Ed
>
> Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> Systems Programmer III, Network and Systems Services
> finger -l ed at polycut.nss.udel.edu for PGP public key
>
>




More information about the openssh-unix-dev mailing list