Solaris PAM: Cannot delete credentials

Albert Chin openssh-unix-dev at thewrittenword.com
Sat Jan 26 02:53:39 EST 2002


On Thu, Nov 22, 2001 at 12:52:31PM +0100, Hans Werner Strube wrote:
> > As has been reported several times, openssh with PAM in Solaris gives
> > a debug message on logout: Cannot delete credentials.
> > Here is a patch for auth-pam.c (possibly Solaris-specific).
> > The line numbers hold at least for 2.9.9p2 through 3.0.1p1.
> > Note that seteuid() is not sufficient, one must use setuid().
> > It would be more efficient to save the uid of the session and pass it,
> > in order to avoid pam_get_item() and getpwnam(), but this would me a
> > major change.
> 
> Here is the "major change", involving auth-pam.c, auth-pam.h, session.c.
> The change of the first argument of do_pam_session() is possible, because
> this argument has not been used in the original version.
> Please treat with caution, since I have no actual overview over the
> global interdependence and calling sequence of the functions in sshd.
> But it worked for a login connection as well as a tty-less connection in
> Solaris 7, without yielding the debug message "Cannot delete credentials."

Has anyone tried this? We tried it against 3.0.2p1 on Solaris 8 with
111659-05 installed and get:
  ...
  Warning: Your password has expired, please change it now
  Enter login password: [blah]
  Could not unset your secret key(s).
  Maybe the keyserver is down?

-- 
albert chin (china at thewrittenword.com)



More information about the openssh-unix-dev mailing list