Regarding PAM_TTY_KLUDGE and Solaris 8...

Nicolas Williams Nicolas.Williams at ubsw.com
Fri Oct 26 00:04:27 EST 2001 

It is possible to move UTMP processing to PAM via pam_open_session() /
pam_close_session(). I believe Linux-PAM includes a pam_utmp for this
very purpose.

Ideally UTMP/UTMPX/... processing, lastlog processing, etc... could all
move to PAM, though I don't know all the issues and I suspect that new
PAM items will be needed to be able to effectively move UTMPX processing
to PAM.

Who knows, PAM session handling could be used for a lot of things.

You can always remove PAM_UNIX from the session stack of SSH. You'll
need to use PAM_PERMIT if you have no other suitable module for the
session stack.

Cheers,

Nico


On Thu, Oct 25, 2001 at 09:47:40AM -0400, Ed Phillips wrote:
> What is the reasoning behind this?  Do we want to see a lastlog entry for
> "ssh" whenever a user runs remote command?  Do other OSes have
> pam_open_session that does more meaningful things than Solaris 8?
> Well...  I guess the more I think about it, it's probably better to go
> ahead an call pam_open_session even for the non-interactive case since
> someone might want to implement a PAM module at their site that logs every
> ssh connection... and if we don't call pam_open_session, then they don't
> even have that capability if they wanted it.
> 
> I agree.  Your patch below will avoid the SEGV on Sol8 regardless of
> whether or not the user has installed the patch to fix pam_unix.so.
> 
> Also, I'll check with our platinum-beta contact at Sun to see if it's okay
> to test openssh on Sol9 Beta and report problems to this list, etc.
> 
> 	Ed
> 
> On Thu, 25 Oct 2001, Damien Miller wrote:
> 
> > Date: Thu, 25 Oct 2001 10:45:34 +1000 (EST)
> > From: Damien Miller <djm at mindrot.org>
> > To: Darren Moffat <Darren.Moffat at eng.sun.com>
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: Re: Regarding PAM_TTY_KLUDGE and Solaris 8...
> >
> > On Wed, 24 Oct 2001, Darren Moffat wrote:
> >
> > >
> > > >Okay, this appears to be a problem with pam_unix.so - the code in
> > > >pam_sm_open_session is written with the assumption that the tty name is of
> > > >the form "/dev/" + something else on the end.  I'm not sure why the
> > >
> > > pam_sm_open_session in pam_unix on Solaris now does this:
> > >
> > >         /* report error if ttyn or rhost are not set */
> > >         if ((ttyn == NULL) || (rhost == NULL))
> > >                 return (PAM_SESSION_ERR);
> > >
> > >         /* sanity check on size of tty line */
> > >         if (strlen(ttyn) < sizeof("/dev/"))
> > >                 return (PAM_SESSION_ERR);
> > >
> > > later on it uses everything after the /dev/ as the short name tty to
> > > write to lastlog.
> > >
> > > This was part of the fix for 4250887. The fix will appear in patch
> > > 111659-03 (sparc) and 111660-03 (intel) when that patch is released.
> >
> > IMO until then we should enable the kludge, but change it as follows.
> > Kevin, can you check whether the kludge works with this patch on HP/UX?
> > (is the kludge even needed there?)
> >
> > Index: auth-pam.c
> > ===================================================================
> > RCS file: /var/cvs/openssh/auth-pam.c,v
> > retrieving revision 1.37
> > diff -u -r1.37 auth-pam.c
> > --- auth-pam.c	2001/04/23 18:38:37	1.37
> > +++ auth-pam.c	2001/10/25 00:43:55
> > @@ -374,7 +374,7 @@
> >  	 * not even need one (for tty-less connections)
> >  	 * Kludge: Set a fake PAM_TTY
> >  	 */
> > -	pam_retval = pam_set_item(__pamh, PAM_TTY, "ssh");
> > +	pam_retval = pam_set_item(__pamh, PAM_TTY, "NODEVssh");
> >  	if (pam_retval != PAM_SUCCESS)
> >  		fatal("PAM set tty failed[%d]: %.200s",
> >  		    pam_retval, PAM_STRERROR(__pamh, pam_retval));
> >
> > -d
> >
> > --
> > | By convention there is color,       \\ Damien Miller <djm at mindrot.org>
> > | By convention sweetness, By convention bitterness, \\ www.mindrot.org
> > | But in reality there are atoms and space - Democritus (c. 400 BCE)
> >
> 
> Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> Systems Programmer III, Network and Systems Services
> finger -l ed at polycut.nss.udel.edu for PGP public key
--

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

More information about the openssh-unix-dev mailing list