openssh-3.7.1p2: no pam_close_session() invocation

Dr. Carsten Benecke Carsten.Benecke at
Fri Sep 26 23:01:59 EST 2003


I would like to use PAM. All PAM interaction worked well with openssh-3.5

Now that I have tried to upgrade to 3.7.1p1/p2 the pam_close_session()
function won't get invoked. Some debugging shows, that the call is 
protected by an if-statement (module auth-pam.c, function sshpam_cleanup):

	if (sshpam_session_open) {
		pam_close_session(sshpam_handle, PAM_SILENT);
		/* cb, 26.09.03 */
		debug2("\n\nin sshpam_cleanup: mypid = %d\n\n", getpid());		
		sshpam_session_open = 0;

I guess that the forked child process that calls the sshpam_cleanup() 
function is forked before the parent calls do_pam_session() (which sets 
sshpam_session_open to true).

pam_close_session() will be invoked by removing surrounding if-statement.

Is this a bug?

My changes to the default sshd_conf are:

< UsePAM yes
 > #UsePAM yes
< UsePrivilegeSeparation no
 > #UsePrivilegeSeparation yes
< #Subsystem    sftp    /local/libexec/sftp-server
 > Subsystem     sftp    /local/libexec/sftp-server

By the way: This is a bug in the documentation: The default for UsePAM in 
3.7.1p2 is "no" while "#UsePAM yes" implies the opposite.


Dr. Carsten Benecke, Regionales Rechenzentrum, Universität Hamburg,
Schlüterstr. 70, D-20146 Hamburg, Tel.: ++49 40 42838 3097,
Fax: ++49 40 42838 3096, mailto: Carsten.Benecke at

More information about the openssh-unix-dev mailing list