Bug 647

Summary:

Setting "UsePAM no" in sshd_config gives error if not config'ed w/ --with-pam

Product:

Portable OpenSSH

Reporter:

Ken Pon <pon>

Component:

sshd

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED FIXED

Severity:

minor

CC:

pon

Priority:

Version:

-current

Hardware:

SPARC

OS:

SunOS

Attachments:

Description	Flags
Set options->use_pam to 0 if USE_PAM is not set	none

Description Ken Pon 2003-09-17 13:44:35 AEST

For OpenSSH_3.7p1, if one does NOT use the "--with-pam" configuration
option, setting the default "#UsePAM yes" flag in sshd_config to
"UsePam no" will cause the following error:
 init.d [111]# ./openssh start
/etc/ssh/sshd_config line 75: Unsupported option UsePAM

However, if one does use the "--with-pam" configuration option,
setting the flag "UsePam no" is acceptable.

Seems a bit confusing to me. Perhaps "#UsePAM no" should be the default?

Thanks.

Comment 1 Darren Tucker 2003-09-18 17:47:51 AEST

Created attachment 422 [details]
Set options->use_pam to 0 if USE_PAM is not set

On a related note, options.use_pam is set even unless overridden by the UsePAM
directive, which doesn't happen if PAM support isn't compiled in.

This means, for example, that things like this (from auth.c) don't happen when
PAM support is disabled:
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
	if (!options.use_pam)
		spw = getspnam(pw->pw_name);

Hey!  That might be the cause of some of our mystery segfaults on Solaris 2.6!

Comment 2 Damien Miller 2003-09-18 18:40:16 AEST

Maybe it should just default to 0

Comment 3 Darren Tucker 2003-09-18 18:57:42 AEST

That was my first thought, but most of the options go through this "-1 = unset"
-> set from config -> apply default if -1 process.  I assumed there was a reason
for it, so left it that way.

Comment 4 Darren Tucker 2003-10-07 16:57:17 AEST

As of 3.7.1p2 UsePAM defaults to "no".

Comment 5 Damien Miller 2004-04-14 12:24:19 AEST

Mass change of RESOLVED bugs to CLOSED