PAM session cleanup on Sol8 with v2.9.9p2

Ed Phillips ed at UDel.Edu
Sat Oct 27 05:49:46 EST 2001


In do_pam_cleanup_proc(), there are 3 calls to PAM:

1) pam_close_session() - do lastlog stuff

2) pam_setcred(PAM_DELETE_CRED) - delete credentials

3) pam_end() - close PAM

It appears that pam_setcred() always fails with the error PAM_PERM_DENIED.
This is due to a check done pam_unix.so to not allow a caller with euid 0
to even try to delete their SECURE_RPC credentials.  When sshd calls
pam_setcred() to delete the credentials, evidentally, it is running with
euid 0, so the checks in pam_unix.so guarantee failure - which means the
user's credentials never get deleted and the user won't know unless they
look for debug1 messages in the syslog (which are suppressed by default).
I excpect this is an annoying problem for anyone doing SECURE_RPC on
Solaris.  I happened to notice this while turning on all kinds of
debugging to figure out what's causing the problem where new passwords are
echoed on Sol8.

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key




More information about the openssh-unix-dev mailing list