PAM session cleanup on Sol8 with v2.9.9p2
Ed Phillips
ed at UDel.Edu
Sat Oct 27 05:49:46 EST 2001
In do_pam_cleanup_proc(), there are 3 calls to PAM:
1) pam_close_session() - do lastlog stuff
2) pam_setcred(PAM_DELETE_CRED) - delete credentials
3) pam_end() - close PAM
It appears that pam_setcred() always fails with the error PAM_PERM_DENIED.
This is due to a check done pam_unix.so to not allow a caller with euid 0
to even try to delete their SECURE_RPC credentials. When sshd calls
pam_setcred() to delete the credentials, evidentally, it is running with
euid 0, so the checks in pam_unix.so guarantee failure - which means the
user's credentials never get deleted and the user won't know unless they
look for debug1 messages in the syslog (which are suppressed by default).
I excpect this is an annoying problem for anyone doing SECURE_RPC on
Solaris. I happened to notice this while turning on all kinds of
debugging to figure out what's causing the problem where new passwords are
echoed on Sol8.
Ed
Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key
More information about the openssh-unix-dev
mailing list