When a user presses Ctrl-C in ssh while being prompted by the PAM conversation function during a keyboard-interactive authentication, then sshd's conversation function does not return to the PAM library with PAM_CONV_ERR. Instead sshd calls pam_end() directly from inside the conversation function. This is in violation of "The Linux-PAM application developers' guide" (draft 0.73, 2000-12-02), which states in section 3.2.1, page 14 that "should an error occur the application should [...] simply return PAM_CONV_ERR". Why is calling pam_end() directly from within the conversation function causing a problem? Linux-PAM keeps as a debugging aid in its handler variable pamh->caller_is track of whether the calling thread was supposed to come from the application (caller_is=2) or from the PAM module (caller_is=1). (See Linux-PAM-0.75/libpam/pam_private.h for the relevant macros.) The incorrect call of pam_end() from within the conversation function results in an error message by Linux-PAM, because Linux-PAM thinks, based on its pamh->caller_is=1 value, that pam_end() was accidentally called by the module. As a result, pam_end() aborts and none of the PAM data structures are cleaned up properly. In particular, and call-back functions that a PAM module might have registered ro release resources are not called. As a result, PAM modules that create, for example, a lock file before entering the conversation function are not given a chance to release their resources, leading to malfunctions. Another security-critical side effect of this bug is that the memory scrubbing that PAM normally applies carefully to any password buffers never takes place if the ssh connection is aborted. As a result, passwords are more likely to leak out into swap space or core dumps. I discussed this issue with Linux-PAM author Andrew Morgan, and he agreed that this is clearly a bug in the PAM support of OpenSSH.
Markus, the PAM support has been completely replaced for the upcoming 3.7 release (the current code is from the author of OpenPAM). Could you please try with a recent snapshot from http://www.openssh.com/portable.html ?
We call pam_end indirectly via a fatal_cleanup in 3.7.x. Perhaps this should change.
Considering this is a security bug (it does not scrub memory as it should and for other pam modules expose other vulnerabilities) as well as a functionality bug which seems to involve calling one function instead of another, I would think hope and encourge that getting it fixed be a priority.
Please don't make changes to other people's bugs, unless you are going to help.
Created attachment 501 [details] Don't fatal on msg functions The removes the remaining indirect ways that pam_end could be called from the kbd-int conversation function in -current portable. I'd suggest the msg.[ch] changes for inclusion in the OpenBSD version too.
the msg.c changes make sense to me...
The changes were committed a month ago.
Mass change of RESOLVED bugs to CLOSED