Regarding PAM_TTY_KLUDGE and Solaris 8...

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Fri Oct 26 00:04:47 EST 2001


If the patch below gives us a reasonable solution.  Then I guess that is
as much as we can hope for in 3.0p1.

Question still has to be asked is how does this patch handle password
changes on non-interactive.  Does PAM outright fail causing the ssh
connection to quietly fail?  Does PAM whine loud enough to echo through
the failing ssh connection?  Or does it blow off the required password
change and execute the command?

Options #1 and #2 may be acceptable for 3.0p1 release.  Option #3 would be
bad news since some may consider it a security flaw (mainly if you do
passwd -f account  under solaris).

In the end Option #2 would be best.

- Ben

On Thu, 25 Oct 2001, Ed Phillips wrote:

> What is the reasoning behind this?  Do we want to see a lastlog entry for
> "ssh" whenever a user runs remote command?  Do other OSes have
> pam_open_session that does more meaningful things than Solaris 8?
> Well...  I guess the more I think about it, it's probably better to go
> ahead an call pam_open_session even for the non-interactive case since
> someone might want to implement a PAM module at their site that logs every
> ssh connection... and if we don't call pam_open_session, then they don't
> even have that capability if they wanted it.
>
> I agree.  Your patch below will avoid the SEGV on Sol8 regardless of
> whether or not the user has installed the patch to fix pam_unix.so.
>
> Also, I'll check with our platinum-beta contact at Sun to see if it's okay
> to test openssh on Sol9 Beta and report problems to this list, etc.
>
> 	Ed
>
> On Thu, 25 Oct 2001, Damien Miller wrote:
>
> > Date: Thu, 25 Oct 2001 10:45:34 +1000 (EST)
> > From: Damien Miller <djm at mindrot.org>
> > To: Darren Moffat <Darren.Moffat at eng.sun.com>
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: Re: Regarding PAM_TTY_KLUDGE and Solaris 8...
> >
> > On Wed, 24 Oct 2001, Darren Moffat wrote:
> >
> > >
> > > >Okay, this appears to be a problem with pam_unix.so - the code in
> > > >pam_sm_open_session is written with the assumption that the tty name is of
> > > >the form "/dev/" + something else on the end.  I'm not sure why the
> > >
> > > pam_sm_open_session in pam_unix on Solaris now does this:
> > >
> > >         /* report error if ttyn or rhost are not set */
> > >         if ((ttyn == NULL) || (rhost == NULL))
> > >                 return (PAM_SESSION_ERR);
> > >
> > >         /* sanity check on size of tty line */
> > >         if (strlen(ttyn) < sizeof("/dev/"))
> > >                 return (PAM_SESSION_ERR);
> > >
> > > later on it uses everything after the /dev/ as the short name tty to
> > > write to lastlog.
> > >
> > > This was part of the fix for 4250887. The fix will appear in patch
> > > 111659-03 (sparc) and 111660-03 (intel) when that patch is released.
> >
> > IMO until then we should enable the kludge, but change it as follows.
> > Kevin, can you check whether the kludge works with this patch on HP/UX?
> > (is the kludge even needed there?)
> >
> > Index: auth-pam.c
> > ===================================================================
> > RCS file: /var/cvs/openssh/auth-pam.c,v
> > retrieving revision 1.37
> > diff -u -r1.37 auth-pam.c
> > --- auth-pam.c	2001/04/23 18:38:37	1.37
> > +++ auth-pam.c	2001/10/25 00:43:55
> > @@ -374,7 +374,7 @@
> >  	 * not even need one (for tty-less connections)
> >  	 * Kludge: Set a fake PAM_TTY
> >  	 */
> > -	pam_retval = pam_set_item(__pamh, PAM_TTY, "ssh");
> > +	pam_retval = pam_set_item(__pamh, PAM_TTY, "NODEVssh");
> >  	if (pam_retval != PAM_SUCCESS)
> >  		fatal("PAM set tty failed[%d]: %.200s",
> >  		    pam_retval, PAM_STRERROR(__pamh, pam_retval));
> >
> > -d
> >
> > --
> > | By convention there is color,       \\ Damien Miller <djm at mindrot.org>
> > | By convention sweetness, By convention bitterness, \\ www.mindrot.org
> > | But in reality there are atoms and space - Democritus (c. 400 BCE)
> >
>
> Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> Systems Programmer III, Network and Systems Services
> finger -l ed at polycut.nss.udel.edu for PGP public key
>
>





More information about the openssh-unix-dev mailing list