Conflict between LDAP and Privilege Separation?

Lets Go Canes letsgonhlcanes at yahoo.com
Tue Aug 30 06:57:22 EST 2005 

Hi all.

> Try running sshd -ddd and see if the debug output sheds any light.

Thank you for the suggestion.

The sshd side appears to just see the child go away:

debug3: mm_answer_pty: tty /dev/pts/5 ptyfd 9
debug2: monitor_read: 25 used once, disabling now
debug3: mm_request_receive entering
debug1: PAM: setting PAM_TTY to "/dev/pts/5"
debug2: fd 4 setting TCP_NODELAY
debug1: Entering interactive session.
debug1: Received SIGCHLD.
debug2: fd 10 setting O_NONBLOCK
debug3: fd 12 is O_NONBLOCK
debug2: fd 14 setting O_NONBLOCK
debug2: fd 15 setting O_NONBLOCK
debug1: server_init_dispatch_13
debug1: server_init_dispatch_15
debug1: End of interactive session; stdin 0, stdout (read 102, sent
102), stderr
 0 bytes.
debug1: Command exited with status 254.
debug1: Received exit confirmation.
[...]

The client side appears to be creating the session, but before it can
give a shell prompt, it dies:

[...]
debug3: tty_make_modes: 92 0
debug3: tty_make_modes: 93 0
debug2: fd 4 setting TCP_NODELAY
debug1: Requesting shell.
debug1: Entering interactive session.
Last login: Mon Aug 29 16:27:54 2005 from xyzzy.plugh.c
debug3: PAM session not opened, exiting
Connection to ssh-host closed.
debug1: Transferred: stdin 0, stdout 102, stderr 31 bytes in 0.0
seconds
debug1: Bytes per second: stdin 0.0, stdout 5185.8, stderr 1576.1
debug1: Exit status 254
[...]

Note the message:  debug3: PAM session not opened, exiting

I am also seeing in /var/adm/messages:

Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error]
open_module: stat(/lib/security/pam_limits.so) failed: No such file or
directory
Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error]
load_modules: can not open module /lib/security/pam_limits.so
Aug 29 16:47:55 ssh-host sshd[26773]: [ID 800047 auth.error] error:
PAM: pam_open_session(): Dlopen failure
Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error]
open_module: stat(/lib/security/pam_nologin.so) failed: No such file or
directory
Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error]
load_modules: can not open module /lib/security/pam_nologin.so

Note the "pam_open_session(): Dlopen failure"

I get the same behavior from multiple accounts (using different shells
and skeleton files).

I can work-around the problem by disabling either PAM and/or PrivSep
in sshd_config, but in my production environment PAM support will be
required, and PrivilegeSeparation is viewed as highly desirable.


--------------
Lets Go Canes!


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs

More information about the openssh-unix-dev mailing list