Deleting root credentials

Darren Tucker dtucker at
Wed Jun 14 15:51:18 EST 2006

Senthil Kumar wrote:
> I'm using OpenSSH 4.3 compiled with PAM support. Im using a proprietary PAM 
> module for my Authentication. When the root user logs out, it throws a 
> message "pam_setcred : Pemission denied" in syslog. The PAM engineer told me 
> that the module can't delete root users credentials. Instead he is asking me 
> to skip the call pam_setcred() in sshpam_cleanup() in auth-pam.c for root 
> user.

You can try the patch #1143 in [1], which attempts to fix this for 
regular users when privsep=yes.  I think it will also help for root when 
privsep=yes, but I'm not 100% sure.  It won't help if privsep=no.

> Is this is the right way?

Not really, but fixing this for the general case is not trivial (see the 
discussion in [1]).

> Is there any impact with this?

Depends on what your PAM modules actually do... presumably the authors 
of your modules would be able to say for certain.


Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list