Debian Bug report logs - #132681
openssh: openssh calls do_pam_session in wrong spot

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: nyt@countercultured.net

To: submit@bugs.debian.org

Subject: openssh: openssh calls do_pam_session in wrong spot

Date: 7 Feb 2002 01:02:23 -0000

Package: openssh
Version: N/A
Severity: normal

openssh runs do_pam_session in the wrong spot in 2 locations.  This can cause pam to enforce the user's limits while it is still running as root.  This wouldnt be a problem if it didnt call fork() after it.  the following diff of session.c allows openssh to actually use pam_limits.so and function properly when limits are in place.


here is the diff:

--- old/openssh-3.0.2p1/session.c       Sat Dec  1 18:37:08 2001
+++ session.c   Wed Feb  6 19:53:50 2002
@@ -437,7 +437,6 @@
        session_proctitle(s);

 #if defined(USE_PAM)
-       do_pam_session(s->pw->pw_name, NULL);
        do_pam_setcred(1);
        if (is_pam_password_change_required())
                packet_disconnect("Password change required but no "
@@ -493,6 +492,9 @@
                        perror("dup2 stderr");
 #endif /* USE_PIPES */

+#if defined(USE_PAM)
+               do_pam_session(s->pw->pw_name, NULL);
+#endif /* USE_PAM */
                /* Do processing for the child (exec command etc). */
                do_child(s, command);
                /* NOTREACHED */
@@ -555,7 +557,6 @@
        ttyfd = s->ttyfd;

 #if defined(USE_PAM)
-       do_pam_session(s->pw->pw_name, s->tty);
        do_pam_setcred(1);
 #endif

@@ -580,6 +581,10 @@

                /* Close the extra descriptor for the pseudo tty. */
                close(ttyfd);
+
+#if defined(USE_PAM)
+               do_pam_session(s->pw->pw_name, s->tty);
+#endif /* USE_PAM */

                /* record login, etc. similar to login(1) */
 #ifndef HAVE_OSF_SIA

-- System Information
Debian Release: 3.0
Kernel Version: Linux dp1 2.4.17 #1 Mon Jan 28 13:14:39 EST 2002 i686 unknown

Message #10 received at 132681-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 132681-close@bugs.debian.org

Subject: Bug#132681: fixed in openssh 1:3.8p1-1

Date: Sat, 06 Mar 2004 14:17:17 -0500

Source: openssh
Source-Version: 1:3.8p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh_3.8p1-1.diff.gz
  to pool/main/o/openssh/openssh_3.8p1-1.diff.gz
openssh_3.8p1-1.dsc
  to pool/main/o/openssh/openssh_3.8p1-1.dsc
openssh_3.8p1.orig.tar.gz
  to pool/main/o/openssh/openssh_3.8p1.orig.tar.gz
ssh-askpass-gnome_3.8p1-1_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_3.8p1-1_powerpc.deb
ssh_3.8p1-1_powerpc.deb
  to pool/main/o/openssh/ssh_3.8p1-1_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 132681@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  6 Mar 2004 18:43:44 +0000
Source: openssh
Binary: ssh-askpass-gnome ssh
Architecture: source powerpc
Version: 1:3.8p1-1
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 ssh        - Secure rlogin/rsh/rcp replacement (OpenSSH)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 132681 134589 150968 153235 157078 171673 181869 191131 224457 228838 232281 232843 234777
Changes: 
 openssh (1:3.8p1-1) unstable; urgency=low
 .
   * New upstream release (closes: #232281):
     - New PAM implementation based on that in FreeBSD. This runs PAM session
       modules before dropping privileges (closes: #132681, #150968).
     - Since PAM session modules are run as root, we can turn pam_limits back
       on by default, and it no longer spits out "Operation not permitted" to
       syslog (closes: #171673).
     - Password expiry works again (closes: #153235).
     - 'ssh -q' suppresses login banner (closes: #134589).
     - sshd doesn't lie to PAM about invalid usernames (closes: #157078).
     - ssh-add prints key comment on each prompt (closes: #181869).
     - Punctuation formatting fixed in man pages (closes: #191131).
     - EnableSSHKeysign documented in ssh_config(5) (closes: #224457).
   * Add 'UsePAM yes' to /etc/ssh/sshd_config on upgrade from versions older
     than this, to maintain the standard Debian sshd configuration.
   * Comment out PAMAuthenticationViaKbdInt and RhostsAuthentication in
     sshd_config on upgrade. Neither option is supported any more.
   * Privilege separation and PAM are now properly supported together, so
     remove both debconf questions related to them and simply set it
     unconditionally in newly generated sshd_config files (closes: #228838).
   * ServerAliveInterval implemented upstream, so ProtocolKeepAlives is now a
     compatibility alias. The semantics differ slightly, though; see
     ssh_config(5) for details.
   * Implement SSH1 support for ServerAliveInterval using SSH_MSG_IGNORE. As
     documented in ssh_config(5), it's not as good as the SSH2 version.
   * Remove -fno-builtin-log, -DHAVE_MMAP_ANON_SHARED, and
     -D__FILE_OFFSET_BITS=64 compiler options, which are no longer necessary.
   * Update config.guess and config.sub from autotools-dev 20040105.1.
   * Darren Tucker:
     - Reset signal status when starting pam auth thread, prevent hanging
       during PAM keyboard-interactive authentications.
     - Fix a non-security-critical segfault in PAM authentication.
   * Add debconf template translations:
     - Greek (thanks, Konstantinos Margaritis; closes: #232843).
     - Italian (thanks, Renato Gini; closes: #234777).
Files: 
 3106ee4ac61541c173fb4483e7b79833 842 net standard openssh_3.8p1-1.dsc
 7861a4c0841ab69a6eec5c747daff6fb 826588 net standard openssh_3.8p1.orig.tar.gz
 70a09c4a493d91eae0aa9e1c20f8628d 122446 net standard openssh_3.8p1-1.diff.gz
 4351d37420110a347fb7bcab469aa8f3 759138 net standard ssh_3.8p1-1_powerpc.deb
 f5c562d17e71af297bd60a085d3f6027 55824 gnome optional ssh-askpass-gnome_3.8p1-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFASiLO9t0zAhD6TNERAjCPAJ9s58tD+O8ibS/5kDttlKjPLJ85EACfaTmb
DRVK6U+bCoG9e2U1PkLPf7g=
=yeHJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.