PAM session cleanup on Sol8 with v2.9.9p2

Ed Phillips ed at UDel.Edu
Sat Oct 27 06:05:48 EST 2001 

On Fri, 26 Oct 2001, Ed Phillips wrote:

> Date: Fri, 26 Oct 2001 15:49:46 -0400 (EDT)
> From: Ed Phillips <ed at udel.edu>
> To: openssh-unix-dev at mindrot.org
> Subject: PAM session cleanup on Sol8 with v2.9.9p2
>
> In do_pam_cleanup_proc(), there are 3 calls to PAM:
>
> 1) pam_close_session() - do lastlog stuff
>
> 2) pam_setcred(PAM_DELETE_CRED) - delete credentials
>
> 3) pam_end() - close PAM
>
> It appears that pam_setcred() always fails with the error PAM_PERM_DENIED.
> This is due to a check done pam_unix.so to not allow a caller with euid 0
> to even try to delete their SECURE_RPC credentials.  When sshd calls
> pam_setcred() to delete the credentials, evidentally, it is running with
> euid 0, so the checks in pam_unix.so guarantee failure - which means the
> user's credentials never get deleted and the user won't know unless they
> look for debug1 messages in the syslog (which are suppressed by default).
> I excpect this is an annoying problem for anyone doing SECURE_RPC on
> Solaris.  I happened to notice this while turning on all kinds of
> debugging to figure out what's causing the problem where new passwords are
> echoed on Sol8.

Some more info. about the pam_setcred()...

When I login and need to change my password, but type the wrong "old"
password, I can actually see the messages coming from pam_unix.so that
talk about the failure to delete credentials for SECURE_RPC:

polycut:~> ssh dazel
Warning: Your password has expired, please change it now
Enter login password:
sshd(SYSTEM): Sorry, wrong passwd
removing root credentials would break the rpc services that
use secure rpc on this host!
root may use keylogout -f to do this (at your own risk)!
Connection to dazel closed by remote host.
Connection to dazel closed.

FWIW... if nothing else, a check to see if we SHOULD even CALL
pam_setcred() during cleanup should be added.  And, probably a seteuid()
should be done to have hopes that the SECURE_RPC creds can be destroyed.

Anyone care about this?

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key

More information about the openssh-unix-dev mailing list