[Bug 926] pam_session_close called as user or not at all

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Jun 30 20:25:54 EST 2008


--- Comment #37 from Darren Tucker <dtucker at zip.com.au>  2008-06-30 20:25:45 ---
(In reply to comment #36)
> pam_mount tries to ask a password from the user*, which puts it in
> challenge-response case of needing more than one interaction. Since
> session modules can't interact with the user other than to display
> messages, you'd also need to put it in the PAM accounting stack. This
> is what bug #688 is about, and isn't related to this one
> (pam_session_close behaviour).
> IMO this bug can be closed with the release of openssh-4.8p1. Darren,
> do you agree? Isn't this also incorrectly marked as blocking 5.1?

The thing is it (pam_mount) probably used to work with at least
privsep=no, because the session wasn't opened until the pty had been
allocated, thus the modules could interact using the tty conversation
function.  So, this is a regression (I what I was worried about in
comment #27).

Now that the session is opened in the monitor, the session modules
can't interact with the user.  On the flip side, the session close now
runs with  privilege.

So, take the bug out of the 5.1 list, but I wouldn't close it yet.

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter.

More information about the openssh-bugs mailing list