Regarding PAM_TTY_KLUDGE and Solaris 8...

Ed Phillips ed at UDel.Edu
Thu Oct 25 23:47:40 EST 2001


What is the reasoning behind this?  Do we want to see a lastlog entry for
"ssh" whenever a user runs remote command?  Do other OSes have
pam_open_session that does more meaningful things than Solaris 8?
Well...  I guess the more I think about it, it's probably better to go
ahead an call pam_open_session even for the non-interactive case since
someone might want to implement a PAM module at their site that logs every
ssh connection... and if we don't call pam_open_session, then they don't
even have that capability if they wanted it.

I agree.  Your patch below will avoid the SEGV on Sol8 regardless of
whether or not the user has installed the patch to fix pam_unix.so.

Also, I'll check with our platinum-beta contact at Sun to see if it's okay
to test openssh on Sol9 Beta and report problems to this list, etc.

	Ed

On Thu, 25 Oct 2001, Damien Miller wrote:

> Date: Thu, 25 Oct 2001 10:45:34 +1000 (EST)
> From: Damien Miller <djm at mindrot.org>
> To: Darren Moffat <Darren.Moffat at eng.sun.com>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: Regarding PAM_TTY_KLUDGE and Solaris 8...
>
> On Wed, 24 Oct 2001, Darren Moffat wrote:
>
> >
> > >Okay, this appears to be a problem with pam_unix.so - the code in
> > >pam_sm_open_session is written with the assumption that the tty name is of
> > >the form "/dev/" + something else on the end.  I'm not sure why the
> >
> > pam_sm_open_session in pam_unix on Solaris now does this:
> >
> >         /* report error if ttyn or rhost are not set */
> >         if ((ttyn == NULL) || (rhost == NULL))
> >                 return (PAM_SESSION_ERR);
> >
> >         /* sanity check on size of tty line */
> >         if (strlen(ttyn) < sizeof("/dev/"))
> >                 return (PAM_SESSION_ERR);
> >
> > later on it uses everything after the /dev/ as the short name tty to
> > write to lastlog.
> >
> > This was part of the fix for 4250887. The fix will appear in patch
> > 111659-03 (sparc) and 111660-03 (intel) when that patch is released.
>
> IMO until then we should enable the kludge, but change it as follows.
> Kevin, can you check whether the kludge works with this patch on HP/UX?
> (is the kludge even needed there?)
>
> Index: auth-pam.c
> ===================================================================
> RCS file: /var/cvs/openssh/auth-pam.c,v
> retrieving revision 1.37
> diff -u -r1.37 auth-pam.c
> --- auth-pam.c	2001/04/23 18:38:37	1.37
> +++ auth-pam.c	2001/10/25 00:43:55
> @@ -374,7 +374,7 @@
>  	 * not even need one (for tty-less connections)
>  	 * Kludge: Set a fake PAM_TTY
>  	 */
> -	pam_retval = pam_set_item(__pamh, PAM_TTY, "ssh");
> +	pam_retval = pam_set_item(__pamh, PAM_TTY, "NODEVssh");
>  	if (pam_retval != PAM_SUCCESS)
>  		fatal("PAM set tty failed[%d]: %.200s",
>  		    pam_retval, PAM_STRERROR(__pamh, pam_retval));
>
> -d
>
> --
> | By convention there is color,       \\ Damien Miller <djm at mindrot.org>
> | By convention sweetness, By convention bitterness, \\ www.mindrot.org
> | But in reality there are atoms and space - Democritus (c. 400 BCE)
>

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key




More information about the openssh-unix-dev mailing list