PAM session cleanup on Sol8 with v2.9.9p2

[Nicolas Williams]

I think this may be a bug in PAM_UNIX. As long as PAM_USER is set then
pam_unix's pam_sm_setcred() should *know* to delete that user's creds
instead of the user given by euid.

Nico


On Fri, Oct 26, 2001 at 04:05:48PM -0400, Ed Phillips wrote:
> On Fri, 26 Oct 2001, Ed Phillips wrote:
> 
> > Date: Fri, 26 Oct 2001 15:49:46 -0400 (EDT)
> > From: Ed Phillips <ed at udel.edu>
> > To: openssh-unix-dev at mindrot.org
> > Subject: PAM session cleanup on Sol8 with v2.9.9p2
> >
> > In do_pam_cleanup_proc(), there are 3 calls to PAM:
> >
> > 1) pam_close_session() - do lastlog stuff
> >
> > 2) pam_setcred(PAM_DELETE_CRED) - delete credentials
> >
> > 3) pam_end() - close PAM
> >
> > It appears that pam_setcred() always fails with the error PAM_PERM_DENIED.
> > This is due to a check done pam_unix.so to not allow a caller with euid 0
> > to even try to delete their SECURE_RPC credentials.  When sshd calls
> > pam_setcred() to delete the credentials, evidentally, it is running with
> > euid 0, so the checks in pam_unix.so guarantee failure - which means the
> > user's credentials never get deleted and the user won't know unless they
> > look for debug1 messages in the syslog (which are suppressed by default).
> > I excpect this is an annoying problem for anyone doing SECURE_RPC on
> > Solaris.  I happened to notice this while turning on all kinds of
> > debugging to figure out what's causing the problem where new passwords are
> > echoed on Sol8.
> 
> Some more info. about the pam_setcred()...
> 
> When I login and need to change my password, but type the wrong "old"
> password, I can actually see the messages coming from pam_unix.so that
> talk about the failure to delete credentials for SECURE_RPC:
> 
> polycut:~> ssh dazel
> Warning: Your password has expired, please change it now
> Enter login password:
> sshd(SYSTEM): Sorry, wrong passwd
> removing root credentials would break the rpc services that
> use secure rpc on this host!
> root may use keylogout -f to do this (at your own risk)!
> Connection to dazel closed by remote host.
> Connection to dazel closed.
> 
> FWIW... if nothing else, a check to see if we SHOULD even CALL
> pam_setcred() during cleanup should be added.  And, probably a seteuid()
> should be done to have hopes that the SECURE_RPC creds can be destroyed.
> 
> Anyone care about this?
> 
> 	Ed
> 
> Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> Systems Programmer III, Network and Systems Services
> finger -l ed at polycut.nss.udel.edu for PGP public key
--

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.