Running sshd with Privilege Seperation drops connection on password change
Darren Tucker
dtucker at zip.com.au
Thu Dec 17 10:09:16 AEDT 2015
On Thu, Dec 17, 2015 at 9:34 AM, Nasim, Kam <Kam.Nasim at windriver.com> wrote:
> Hi Darren/Damien,
>
> Sorry for responding so late. Still hope we can get this sorted out.
> Yes I am indeed using PAM for ssh authentication and disabling priv seperation is a no-go for us since it opens up a security loophole.
>
> From what I can see in ptree and auth logs, when the child passwd process returns with SIGCHLD, the parent sshd process terminates.
>
> Sshd logs are as follows as requested at DEBUG3 verbosity. They indicate the ssh, followed by the password change and finally termination of connection:
Despite being asked for them earlier, you still have not provided the
full debug logs, which would tell, amongst other things, what version
of OpenSSH this is. That said...
[...]
> Dec 16 22:22:13 knasim-ubuntu1 sshd[8623]: debug1: SELinux support disabled
I know of no version of OpenSSH supplied by us that has that message,
so I suspect you are using a modified version.
> Dec 16 22:22:13 knasim-ubuntu1 sshd[8569]: debug3: PAM: sshpam_passwd_conv called with 1 messages
[...]
> Dec 16 22:22:24 knasim-ubuntu1 passwd[8624]: pam_unix(passwd:chauthtok): password changed for nasim
This is working exactly as I described in option #2 earlier: password
authentication followed by execing /bin/passwd.
Your other option is what I described in #1: Disable
PasswordAuthentication in sshd_config and use
ChallengeResponseAuthentication/KbdInteractiveAuthentication.
> Dec 16 22:22:24 knasim-ubuntu1 sshd[8623]: debug1: Received SIGCHLD.
[...]
> Let me know what you guys think.
I think it is working as intended.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list