727 – sshd built w/o pam support bypasses non-pam authentication code

Bug 727 - sshd built w/o pam support bypasses non-pam authentication code

Summary: sshd built w/o pam support bypasses non-pam authentication code

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	3.7.1p1
Hardware:	SPARC Solaris

Importance:	P2 security
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-10-04 01:23 AEST by David James
Modified:	2004-04-14 12:24 AEST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David James 2003-10-04 01:23:57 AEST

OpenSSH built without PAM support still gets options.use_pam = 1 set in 
servconf.c. This causes code in other modules (e.g. auth.c) intended for non-
PAM sshds to be bypassed. 

I noticed this while trying to determine why OpenSSH on Solaris 8 was not 
processing expiration dates in /etc/shadow, despite code in auth.c:allowed_user
() intended to do this.

This has some security impact as it causes sshd to permit user logins that 
would be prohibited by /bin/login. 

Followup to bug #647 refers to the this setting of use_pam.

Comment 1 Darren Tucker 2003-10-04 01:37:43 AEST

This has been fixed in 3.7.1p2: UsePAM now defaults to no, including when built 
without PAM support.

Comment 2 Darren Tucker 2003-10-07 16:47:30 AEST

Should have closed this earlier: is fixed in 3.7.1p2.

Comment 3 Damien Miller 2004-04-14 12:24:19 AEST

Mass change of RESOLVED bugs to CLOSED