Debian Bug report logs - #150968
libpam-modules: pam_mkhomedir fails with new ssh (3.3p1) - pam_session not run as root

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Richard A Nelson" <cowboy@vnet.ibm.com>

To: "Debian Bug Tracking System" <submit@bugs.debian.org>

Subject: libpam-modules: pam_mkhomedir fails with new ssh (3.3p1) - pam_session not run as root

Date: Tue, 25 Jun 2002 11:57:16 -0400

Package: libpam-modules
Version: 0.72-35
Severity: grave

This is grave because failures in these PAM modules will prevent access
to the system.

The new ssh with split priviledge throws a big monkeywrench in the usage
of PAM session helpers... They are no longer run suid, but rather run
under the authenticated UID !

I've personally been hit by pam_tmpdir and pam_mkhomedir, but I've not
yet looked to see what other session modules may be impacted.

We may want to coordinate with upstream (although we're fairly
downlevel) - and with other PAM packages (like pam_tmpdir) on the
best ways to solve this problem!  Potential avenues are separate
suid helpers (yuck), modification of an extant helper, or something
along the lines of the 'userv' package (I've not yet looked to see
how apropos it is for this problem).

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux badlands.lexington.ibm.com 2.4.19-pre10-ac2 #8 Wed Jun 5 15:00:08 EDT 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages libpam-modules depends on:
ii  libc6                         2.2.5-7    GNU C Library: Shared libraries an
ii  libcap1                       1:1.10-12  support for getting/setting POSIX.
ii  libdb3                        3.2.9-16   Berkeley v3 Database Libraries [ru
ii  libpam0g                      0.72-35    Pluggable Authentication Modules l

-- no debconf information

Message #12 received at 150968@bugs.debian.org (full text, mbox, reply):

From: hartmans@mit.edu (Sam Hartman)

To: 150968@bugs.debian.org

Cc: control@bugs.debian.org

Subject: patch for ssh PAM handling

Date: Tue, 25 Jun 2002 17:08:28 -0400 (EDT)

tags 150968 patch
thanks

Here's a patch for 3.3p1-0.0.woody1 to do the PAM session and setcred
handling in the parent rather than the child; seems to work for me.

Thanks to Steve Langasek for help with the patch .


Index: auth-pam.c
===================================================================
RCS file: /afs/sipb/project/debian/cvs/openssh-krb5/auth-pam.c,v
retrieving revision 1.4
diff -u -r1.4 auth-pam.c
--- auth-pam.c	25 Jun 2002 00:45:33 -0000	1.4
+++ auth-pam.c	25 Jun 2002 20:33:41 -0000
@@ -286,6 +286,8 @@
 			    pam_retval, PAM_STRERROR(__pamh, pam_retval));
 	}
 
+	if (session_opened)
+	  return; /*Be idempotent so we can be called in monitor and child*/
 	pam_retval = pam_open_session(__pamh, 0);
 	if (pam_retval != PAM_SUCCESS)
 		fatal("PAM session setup failed[%d]: %.200s",
@@ -304,6 +306,8 @@
 
 	do_pam_set_conv(&conv);
 
+	if (init&&creds_set)
+	  return; /*be idempotent so we can be called in monitor and child*/
 	debug("PAM establishing creds");
 	pam_retval = pam_setcred(__pamh, 
 	    init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
Index: monitor.c
===================================================================
RCS file: /afs/sipb/project/debian/cvs/openssh-krb5/monitor.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 monitor.c
--- monitor.c	24 Jun 2002 23:29:52 -0000	1.1.1.1
+++ monitor.c	25 Jun 2002 20:33:41 -0000
@@ -278,6 +278,8 @@
 #ifdef USE_PAM
 			if (!do_pam_account(authctxt->pw->pw_name, NULL))
 				authenticated = 0;
+			do_pam_session(authctxt->pw->pw_name, NULL);
+			do_pam_setcred(1);
 #endif
 		}
 

Message #19 received at 150968@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

To: hartmans@mit.edu (Sam Hartman)

Cc: 150968@bugs.debian.org

Subject: Re: Bug#150968: patch for ssh PAM handling

Date: Tue, 25 Jun 2002 23:52:43 +0200

hartmans@mit.edu (Sam Hartman) writes:

> Here's a patch for 3.3p1-0.0.woody1 to do the PAM session and setcred
> handling in the parent rather than the child; seems to work for me.
>
> Thanks to Steve Langasek for help with the patch .

Doesn't moving code around like this run the risk of reintroducing the
security defect which brought us all this mess?

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

Message #24 received at 150968@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@mit.edu>

To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

Cc: 150968@bugs.debian.org

Subject: Re: Bug#150968: patch for ssh PAM handling

Date: Tue, 25 Jun 2002 17:58:36 -0400

>>>>> "Florian" == Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> writes:

    Florian> hartmans@mit.edu (Sam Hartman) writes:
    >> Here's a patch for 3.3p1-0.0.woody1 to do the PAM session and
    >> setcred handling in the parent rather than the child; seems to
    >> work for me.
    >> 
    >> Thanks to Steve Langasek for help with the patch .

    Florian> Doesn't moving code around like this run the risk of
    Florian> reintroducing the security defect which brought us all
    Florian> this mess?

Sure.  But the current behavior is broken.  I assure you as PAM
maintainer there are pam modules in Debian that ex pect their setcred
and open_session entry points to be called as root.  Not doing so will
break these modules.  Making this sort of design/API/interface change
in a security update is not acceptable.

Honestly, I also tend to think the current PAM behavior is actually
correct.

Message #29 received at 150968@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

To: Sam Hartman <hartmans@mit.edu>

Cc: 150968@bugs.debian.org

Subject: Re: Bug#150968: patch for ssh PAM handling

Date: Wed, 26 Jun 2002 00:05:50 +0200

Sam Hartman <hartmans@mit.edu> writes:

>>>>>> "Florian" == Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> writes:
>
>     Florian> hartmans@mit.edu (Sam Hartman) writes:
>     >> Here's a patch for 3.3p1-0.0.woody1 to do the PAM session and
>     >> setcred handling in the parent rather than the child; seems to
>     >> work for me.
>     >> 
>     >> Thanks to Steve Langasek for help with the patch .
>
>     Florian> Doesn't moving code around like this run the risk of
>     Florian> reintroducing the security defect which brought us all
>     Florian> this mess?
>
> Sure.  But the current behavior is broken.  I assure you as PAM
> maintainer there are pam modules in Debian that ex pect their setcred
> and open_session entry points to be called as root.  Not doing so will
> break these modules.  Making this sort of design/API/interface change
> in a security update is not acceptable.

I agree completely, changing assumptions like this is not a good idea.
However, we are in an extremely unfortunate situation.  We don't know
where we can put the barriers safely.

> Honestly, I also tend to think the current PAM behavior is actually
> correct.

I can't comment on this, but after browsing the PAM documentation, I'm
not convinced at all that SSH implementations can follow the
application requirements to the letter.  Privilege separation is just
pushing the violations a bit farther, it seems.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

Message #34 received at 150968@bugs.debian.org (full text, mbox, reply):

From: Jonathan Amery <jdamery@chiark.greenend.org.uk>

To: 150968@bugs.debian.org

Subject: PAM

Date: Wed, 26 Jun 2002 15:08:21 +0100

 Agreed that there are modules that assume that they are root, but in
all of the PAM specifications I cannot find anything to justify this
assumption.  The documentation for pam_open_session does say something 
about ensuring that the euid is sufficient for the purpose, but the
examples it gives would not require root, and it is rather a weak
statement. 

 Ideologically, if the modules require more priviledge than that of
the user being authenticated/authorised then they should obtain this
through out-of-band means.

 J.

Message #39 received at 150968@bugs.debian.org (full text, mbox, reply):

From: Michael Stone <mstone@debian.org>

To: 150968@bugs.debian.org

Subject: Re: Bug#150968: patch for ssh PAM handling

Date: Wed, 26 Jun 2002 23:28:22 -0400

I brought this patch up upstream, and it was (correctly) pointed out
that it will break multi-session handling. (It's possible with protocol2
to start multiple independent sessions per authentication.) Making
do_pam_session only run once obviously interferes with that. 

Mike Stone

Message #44 received at 150968@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

To: Michael Stone <mstone@debian.org>

Cc: 150968@bugs.debian.org

Subject: Re: Bug#150968: patch for ssh PAM handling

Date: Thu, 27 Jun 2002 12:16:27 +0200

Michael Stone <mstone@debian.org> writes:

> I brought this patch up upstream, and it was (correctly) pointed out
> that it will break multi-session handling. (It's possible with protocol2
> to start multiple independent sessions per authentication.) Making
> do_pam_session only run once obviously interferes with that. Mike Stone

Hmm.

Doesn't this change the privileges with which the conversion callback
is invoked?  Wouldn't this disable any additional protection we need
to counter the most recent OpenSSH problem?

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

Message #49 received at 150968@bugs.debian.org (full text, mbox, reply):

From: Michael Stone <mstone@debian.org>

To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

Cc: 150968@bugs.debian.org

Subject: Re: Bug#150968: patch for ssh PAM handling

Date: Thu, 27 Jun 2002 06:19:47 -0400

On Thu, Jun 27, 2002 at 12:16:27PM +0200, Florian Weimer wrote:
>Michael Stone <mstone@debian.org> writes:
>> I brought this patch up upstream, and it was (correctly) pointed out
>> that it will break multi-session handling. (It's possible with protocol2
>> to start multiple independent sessions per authentication.) Making
>> do_pam_session only run once obviously interferes with that. Mike Stone
>
>Doesn't this change the privileges with which the conversion callback
>is invoked?  Wouldn't this disable any additional protection we need
>to counter the most recent OpenSSH problem?

There are two issues: whether the patch works, and whether the patch is
secure. In this case the patch doesn't work, so the issue of whether
it's secure is moot. I'm not sure there can be a simple, correct fix.

Mike Stone

Message #54 received at 150968@bugs.debian.org (full text, mbox, reply):

From: Hein Roehrig <hein@acm.org>

To: 150968@bugs.debian.org

Subject: pam_chroot also broken

Date: 27 Jun 2002 23:29:47 +0200

[Message part 1 (text/plain, inline)]

Just FYI, the pam_chroot module for chrooting after authentication is
also doesn't work with privilege separation --- no wonder actually since
only root can do chroot(2).

Thanks,
Hein

[signature.asc (application/pgp-signature, inline)]

Message #59 received at 150968-submitter@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@sel.cam.ac.uk>

To: 150968-submitter@bugs.debian.org

Cc: control@bugs.debian.org

Subject: downgrading

Date: Fri, 28 Jun 2002 16:36:17 +0100

Severity 150968 important
quit

The work-around for now is to disable privilege separation; as debconf
now informs you of this, I'm downgrading this bug to important.

Matthew

-- 
Rapun.sel - outermost outpost of the Pick Empire
http://www.pick.ucam.org

Message #64 received at 150968@bugs.debian.org (full text, mbox, reply):

From: Darren Tucker <dtucker@zip.com.au>

To: "Richard A Nelson" <cowboy@vnet.ibm.com>

Cc: 150968@bugs.debian.org

Subject: Debian bug #150968: now fixed upstream

Date: Wed, 24 Dec 2003 19:22:42 +1100

Hi.
	Regarding the Debian bug you reported ("pam_session not run as root"): 
as part of the PAM rewrite in OpenSSH upstream (between 3.6.1p2 and 
3.7p1), do_pam_session is now called just before privilege is dropped 
permanently.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Message #71 received at 150968-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 150968-close@bugs.debian.org

Subject: Bug#150968: fixed in openssh 1:3.8p1-1

Date: Sat, 06 Mar 2004 14:17:17 -0500

Source: openssh
Source-Version: 1:3.8p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh_3.8p1-1.diff.gz
  to pool/main/o/openssh/openssh_3.8p1-1.diff.gz
openssh_3.8p1-1.dsc
  to pool/main/o/openssh/openssh_3.8p1-1.dsc
openssh_3.8p1.orig.tar.gz
  to pool/main/o/openssh/openssh_3.8p1.orig.tar.gz
ssh-askpass-gnome_3.8p1-1_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_3.8p1-1_powerpc.deb
ssh_3.8p1-1_powerpc.deb
  to pool/main/o/openssh/ssh_3.8p1-1_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 150968@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  6 Mar 2004 18:43:44 +0000
Source: openssh
Binary: ssh-askpass-gnome ssh
Architecture: source powerpc
Version: 1:3.8p1-1
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 ssh        - Secure rlogin/rsh/rcp replacement (OpenSSH)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 132681 134589 150968 153235 157078 171673 181869 191131 224457 228838 232281 232843 234777
Changes: 
 openssh (1:3.8p1-1) unstable; urgency=low
 .
   * New upstream release (closes: #232281):
     - New PAM implementation based on that in FreeBSD. This runs PAM session
       modules before dropping privileges (closes: #132681, #150968).
     - Since PAM session modules are run as root, we can turn pam_limits back
       on by default, and it no longer spits out "Operation not permitted" to
       syslog (closes: #171673).
     - Password expiry works again (closes: #153235).
     - 'ssh -q' suppresses login banner (closes: #134589).
     - sshd doesn't lie to PAM about invalid usernames (closes: #157078).
     - ssh-add prints key comment on each prompt (closes: #181869).
     - Punctuation formatting fixed in man pages (closes: #191131).
     - EnableSSHKeysign documented in ssh_config(5) (closes: #224457).
   * Add 'UsePAM yes' to /etc/ssh/sshd_config on upgrade from versions older
     than this, to maintain the standard Debian sshd configuration.
   * Comment out PAMAuthenticationViaKbdInt and RhostsAuthentication in
     sshd_config on upgrade. Neither option is supported any more.
   * Privilege separation and PAM are now properly supported together, so
     remove both debconf questions related to them and simply set it
     unconditionally in newly generated sshd_config files (closes: #228838).
   * ServerAliveInterval implemented upstream, so ProtocolKeepAlives is now a
     compatibility alias. The semantics differ slightly, though; see
     ssh_config(5) for details.
   * Implement SSH1 support for ServerAliveInterval using SSH_MSG_IGNORE. As
     documented in ssh_config(5), it's not as good as the SSH2 version.
   * Remove -fno-builtin-log, -DHAVE_MMAP_ANON_SHARED, and
     -D__FILE_OFFSET_BITS=64 compiler options, which are no longer necessary.
   * Update config.guess and config.sub from autotools-dev 20040105.1.
   * Darren Tucker:
     - Reset signal status when starting pam auth thread, prevent hanging
       during PAM keyboard-interactive authentications.
     - Fix a non-security-critical segfault in PAM authentication.
   * Add debconf template translations:
     - Greek (thanks, Konstantinos Margaritis; closes: #232843).
     - Italian (thanks, Renato Gini; closes: #234777).
Files: 
 3106ee4ac61541c173fb4483e7b79833 842 net standard openssh_3.8p1-1.dsc
 7861a4c0841ab69a6eec5c747daff6fb 826588 net standard openssh_3.8p1.orig.tar.gz
 70a09c4a493d91eae0aa9e1c20f8628d 122446 net standard openssh_3.8p1-1.diff.gz
 4351d37420110a347fb7bcab469aa8f3 759138 net standard ssh_3.8p1-1_powerpc.deb
 f5c562d17e71af297bd60a085d3f6027 55824 gnome optional ssh-askpass-gnome_3.8p1-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFASiLO9t0zAhD6TNERAjCPAJ9s58tD+O8ibS/5kDttlKjPLJ85EACfaTmb
DRVK6U+bCoG9e2U1PkLPf7g=
=yeHJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.