[Bug 951] SSH2 protocol breaks pam chroot auth

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Nov 9 19:12:13 EST 2004


------- Additional Comments From dtucker at zip.com.au  2004-11-09 19:12 -------
OK, I think this is happening because you're using pam_chroot in the "account"
stack.  For reasons I won't go into here, in the case of SSHv2
challenge-response authentication the call to pam_acct_mgmt() (which invokes the
account stack) happens in a process that's not an immediate ancestor to the
user's shell.  (For the gory details on why see bug #688).

This doesn't happen with password authentication, so it ought to behave as you
expect, but it probably means the root-owned parent sshd is chrooted too (which
may cause some problems, eg with logging).

I think you should change your PAM config so pam_chroot is a "session" module,
assuming yor module supports it (the pam_chroot in LinuxPAM does).  That way it
should work for both SSHv1 and SSHv2 no matter what the authentication method,
and will probably work with PrivilegeSeparation too.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list