Another round of testing calls.
Ed Phillips
ed at UDel.Edu
Thu Oct 25 05:58:58 EST 2001
Is it possible that this is a direct result of using the kludge -
specifying a bogus tty name which can't possibly be used to fetch a
password? Probably, sshd should not call pam_open_session() in the case
where we are running in non-interactive mode - and sshd should just exit
with a "password expired" error if the password needs to be changed
in.rshd on Sol8 does not does not call the PAM session stuff.
pam_unix.so on Sol8 has a pam_sm_open_session() which requires the tty
name to be available (and my guess is that it must be valid as well -
hence the problems with not passing a tty name). Sure, it's a bug in Sol8
pam_unix.so, but the docs are pretty thin regarding what
pam_sm_open_session() is supposed to do and whether the PAM_TTY is
required. My guess that PAM_TTY is actually a required parameter (if
you're going to do PAM session stuff) and unexpected results will occur if
you just fill it with a bogus string.
Ed
On Wed, 24 Oct 2001 mouring at etoh.eviladmin.org wrote:
> Date: Wed, 24 Oct 2001 09:27:48 -0500 (CDT)
> From: mouring at etoh.eviladmin.org
> Cc: "Dost, Alexander" <Alexander.Dost at drkw.com>, openssh-unix-dev at mindrot.org
> Subject: Re: Another round of testing calls.
>
>
> If PAM is doing the password change, then I have to agree with Markus.
> Could one of our Lurking Sun experts reproduce this and check if there is
> a bug in their PAM code or if we are missing a bit of code?
>
> - Ben
>
> On Wed, 24 Oct 2001, Markus Friedl wrote:
>
> > On Wed, Oct 24, 2001 at 10:46:57AM +0200, Dost, Alexander wrote:
> > > Is the problem with clear-text passwords after using the kludge on Sol8
> > > known and will it be fixed ?
> > > I didn't see any reply on this problem.
> >
> > this is probably a bug in the PAM: either they should
> > not depend on the TTY kludge or not ask for a password
> > if there is not TYY.
> >
> > -m
> >
>
Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key
More information about the openssh-unix-dev
mailing list