[Bug 951] SSH2 protocol breaks pam chroot auth
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Nov 9 19:12:13 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=951
------- Additional Comments From dtucker at zip.com.au 2004-11-09 19:12 -------
OK, I think this is happening because you're using pam_chroot in the "account"
stack. For reasons I won't go into here, in the case of SSHv2
challenge-response authentication the call to pam_acct_mgmt() (which invokes the
account stack) happens in a process that's not an immediate ancestor to the
user's shell. (For the gory details on why see bug #688).
This doesn't happen with password authentication, so it ought to behave as you
expect, but it probably means the root-owned parent sshd is chrooted too (which
may cause some problems, eg with logging).
I think you should change your PAM config so pam_chroot is a "session" module,
assuming yor module supports it (the pam_chroot in LinuxPAM does). That way it
should work for both SSHv1 and SSHv2 no matter what the authentication method,
and will probably work with PrivilegeSeparation too.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list