Bug 727

Summary: sshd built w/o pam support bypasses non-pam authentication code
Product: Portable OpenSSH Reporter: David James <sshbugs>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: security    
Priority: P2    
Version: 3.7.1p1   
Hardware: SPARC   
OS: Solaris   

Description David James 2003-10-04 01:23:57 AEST 
OpenSSH built without PAM support still gets options.use_pam = 1 set in 
servconf.c. This causes code in other modules (e.g. auth.c) intended for non-
PAM sshds to be bypassed. 

I noticed this while trying to determine why OpenSSH on Solaris 8 was not 
processing expiration dates in /etc/shadow, despite code in auth.c:allowed_user
() intended to do this.

This has some security impact as it causes sshd to permit user logins that 
would be prohibited by /bin/login. 

Followup to bug #647 refers to the this setting of use_pam.
Comment 1 Darren Tucker 2003-10-04 01:37:43 AEST 
This has been fixed in 3.7.1p2: UsePAM now defaults to no, including when built 
without PAM support.
Comment 2 Darren Tucker 2003-10-07 16:47:30 AEST 
Should have closed this earlier: is fixed in 3.7.1p2.
Comment 3 Damien Miller 2004-04-14 12:24:19 AEST 
Mass change of RESOLVED bugs to CLOSED