Debian Bug report logs - #405041
openssh-server: Problem with pam-stack. Cleanup doesn't call pam_end() after auth failure and breaks pam-abl

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sandro Wefel <wefel@unixos.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openssh-server: Problem with pam-stack. Cleanup doesn't call pam_end() after auth failure and breaks pam-abl

Date: Sat, 30 Dec 2006 19:11:20 +0100

Package: openssh-server
Version: 1:4.3p2-7, 1:4.3p2-8
Severity: important
Tags: patch

If the connection to the ssh-server is closed, lost, etc. then
the do_cleanup function in session.c is called. In newer 
openssh-server version, e.g. 1:4.3p2-7 a line is modified
  if (authctxt == NULL || !authctxt->authenticated)
    return;
which returns from cleanup if authctxt->authenticated
is NULL. The openssh_4.3p2.orig contains 
  if (authctxt == NULL)
    return;

If the connection is not authenticated, (e.g. fals password)
then no line after this will be reached and therefore not the 
following block
#ifdef USE_PAM
  if (options.use_pam) {
    sshpam_cleanup();
    sshpam_thread_cleanup();
  }
#endif
and so no pam-cleanup, which calls pam_end is done. But
this is needed by pam-modules like pam-abl to log
the failed trial.

I suggest to leave the openssh_4.3p2.orig line
  if (authctxt == NULL)
    return;
or use the following patch, which tests authctxt->authenticated
after pam-cleanup.

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (300, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)


--- openssh-4.3p2-debian/session.c	2006-12-23 11:32:15.000000000 +0100
+++ openssh/session.c	2006-12-23 12:54:06.000000000 +0100
@@ -2440,7 +2440,7 @@
 		return;
 	called = 1;
 
-	if (authctxt == NULL || !authctxt->authenticated)
+	if (authctxt == NULL)
 		return;
 #ifdef KRB5
 	if (options.kerberos_ticket_cleanup &&
@@ -2459,6 +2459,8 @@
 		sshpam_thread_cleanup();
 	}
 #endif
+	if (!authctxt->authenticated)
+		return;
 
 	/* remove agent socket */
 	auth_sock_cleanup_proc(authctxt->pw);

Message #10 received at 405041@bugs.debian.org (full text, mbox, reply):

From: Damien Miller <djm@mindrot.org>

To: 405041@bugs.debian.org

Subject: Re: Debian Bug report logs - #405041

Date: Mon, 18 Jun 2007 10:09:39 +1000 (EST)

DO NOT apply this patch. It will expose users to the "unsafe signal handler
vulnerability" closed in openssh-4.4.

Further discussion at: http://bugzilla.mindrot.org/show_bug.cgi?id=1322

Message #15 received at 405041-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 405041-close@bugs.debian.org

Subject: Bug#405041: fixed in openssh 1:4.7p1-1

Date: Mon, 24 Dec 2007 17:17:03 +0000

Source: openssh
Source-Version: 1:4.7p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.7p1-1_i386.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.7p1-1_i386.udeb
openssh-client_4.7p1-1_i386.deb
  to pool/main/o/openssh/openssh-client_4.7p1-1_i386.deb
openssh-server-udeb_4.7p1-1_i386.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.7p1-1_i386.udeb
openssh-server_4.7p1-1_i386.deb
  to pool/main/o/openssh/openssh-server_4.7p1-1_i386.deb
openssh_4.7p1-1.diff.gz
  to pool/main/o/openssh/openssh_4.7p1-1.diff.gz
openssh_4.7p1-1.dsc
  to pool/main/o/openssh/openssh_4.7p1-1.dsc
openssh_4.7p1.orig.tar.gz
  to pool/main/o/openssh/openssh_4.7p1.orig.tar.gz
ssh-askpass-gnome_4.7p1-1_i386.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.7p1-1_i386.deb
ssh-krb5_4.7p1-1_all.deb
  to pool/main/o/openssh/ssh-krb5_4.7p1-1_all.deb
ssh_4.7p1-1_all.deb
  to pool/main/o/openssh/ssh_4.7p1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 405041@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 24 Dec 2007 16:43:02 +0000
Source: openssh
Binary: ssh-askpass-gnome ssh-krb5 openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source i386 all
Version: 1:4.7p1-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell server, an rshd replacement
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 123013 246774 303453 327886 345628 365541 390699 405041 433181 444738 453285 453367
Changes: 
 openssh (1:4.7p1-1) unstable; urgency=low
 .
   * New upstream release (closes: #453367).
     - CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
       creation of an untrusted cookie fails; found and fixed by Jan Pechanec
       (closes: #444738).
     - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
       installations are unchanged.
     - The SSH channel window size has been increased, and both ssh(1)
       sshd(8) now send window updates more aggressively. These improves
       performance on high-BDP (Bandwidth Delay Product) networks.
     - ssh(1) and sshd(8) now preserve MAC contexts between packets, which
       saves 2 hash calls per packet and results in 12-16% speedup for
       arcfour256/hmac-md5.
     - A new MAC algorithm has been added, UMAC-64 (RFC4418) as
       "umac-64@openssh.com". UMAC-64 has been measured to be approximately
       20% faster than HMAC-MD5.
     - Failure to establish a ssh(1) TunnelForward is now treated as a fatal
       error when the ExitOnForwardFailure option is set.
     - ssh(1) returns a sensible exit status if the control master goes away
       without passing the full exit status.
     - When using a ProxyCommand in ssh(1), set the outgoing hostname with
       gethostname(2), allowing hostbased authentication to work.
     - Make scp(1) skip FIFOs rather than hanging (closes: #246774).
     - Encode non-printing characters in scp(1) filenames. These could cause
       copies to be aborted with a "protocol error".
     - Handle SIGINT in sshd(8) privilege separation child process to ensure
       that wtmp and lastlog records are correctly updated.
     - Report GSSAPI mechanism in errors, for libraries that support multiple
       mechanisms.
     - Improve documentation for ssh-add(1)'s -d option.
     - Rearrange and tidy GSSAPI code, removing server-only code being linked
       into the client.
     - Delay execution of ssh(1)'s LocalCommand until after all forwardings
       have been established.
     - In scp(1), do not truncate non-regular files.
     - Improve exit message from ControlMaster clients.
     - Prevent sftp-server(8) from reading until it runs out of buffer space,
       whereupon it would exit with a fatal error (closes: #365541).
     - pam_end() was not being called if authentication failed
       (closes: #405041).
     - Manual page datestamps updated (closes: #433181).
   * Install the OpenSSH FAQ in /usr/share/doc/openssh-client.
     - Includes documentation on copying files with colons using scp
       (closes: #303453).
   * Create /var/run/sshd on start even if /etc/ssh/sshd_not_to_be_run exists
     (closes: #453285).
   * Fix "overriden" typo in ssh(1) (thanks, A. Costa; closes: #390699).
   * Refactor debian/rules configure and make invocations to make development
     easier.
   * Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013).
   * Update moduli(5) to revision 1.11 from OpenBSD CVS.
   * Document the non-default options we set as standard in ssh_config(5) and
     sshd_config(5) (closes: #327886, #345628).
   * Recode LICENCE to UTF-8 when concatenating it to debian/copyright.
   * Override desktop-file-but-no-dh_desktop-call lintian warning; the
     .desktop file is intentionally not installed (see 1:3.8.1p1-10).
   * Update copyright dates for Kerberos patch in debian/copyright.head.
   * Policy version 3.7.3: no changes required.
Files: 
 e4be8bf0d8eeb50aced09e83b971ee1b 1132 net standard openssh_4.7p1-1.dsc
 bea83d2e0f9ac7b3d4393d693e68b5c1 1009361 net standard openssh_4.7p1.orig.tar.gz
 8dbea4ef533097fe69f373be3391884e 201822 net standard openssh_4.7p1-1.diff.gz
 05d181f3d6ded8352216fd2c5334f5a1 1044 net extra ssh_4.7p1-1_all.deb
 c0b77420c1144e9c546b89522dbad3a7 86892 net extra ssh-krb5_4.7p1-1_all.deb
 9681446b5860a92b931f48b33c2bde09 661682 net standard openssh-client_4.7p1-1_i386.deb
 04c0b2d9d2c6658fa91ba5cc2208f1fe 244302 net optional openssh-server_4.7p1-1_i386.deb
 150374216e2494558e6657bf11474e4e 94468 gnome optional ssh-askpass-gnome_4.7p1-1_i386.deb
 2ddb6b74912130c019f6874d9fda20e6 158566 debian-installer optional openssh-client-udeb_4.7p1-1_i386.udeb
 56e6ed3cdd943b9dac92830004a82d8f 169090 debian-installer optional openssh-server-udeb_4.7p1-1_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFHb+Vx9t0zAhD6TNERAvdSAJ9pCqLCB8vG2v0gIO/PClsJWlJp/QCdGs4U
IKqTDQgKydVQv435xVHnYD8=
=k6Bk
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.