1002 – sshd does not report failed PAM session modules to the client side

Bug 1002 - sshd does not report failed PAM session modules to the client side

Summary: sshd does not report failed PAM session modules to the client side

Status:	CLOSED INVALID

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	4.0p1
Hardware:	All All

Importance:	P2 normal
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-03-18 22:12 AEDT by Ponraj
Modified:	2006-10-07 11:39 AEST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ponraj 2005-03-18 22:12:17 AEDT

sshd does not report failed PAM session modules to the client side.
But sshd with " -e " option reports correctly.

Comment 1 Darren Tucker 2005-03-18 22:44:38 AEDT

Hmm, I thought that was fixed with 4.0p1.  Which platform and PAM modules are
you using?  Can you give an example of what you mean by "sshd with " -e " option
reports correctly"?

Comment 2 Ponraj 2005-03-19 14:54:30 AEDT

We are using libpam_unix.1 in HP-UX and we renamed it's entry in pam.conf file 
as "libpam_unix.1_invalid".Server does not report about "libpam_unix.1_invalid"
to the client.
Server :
/opt/ssh/sbin/sshd -e -o "UsePAM yes" -o "UsePrivilegeSepraration no "
Client :
ssh localhost 
Password :
PAM: pam_open_session(): Can not make/remove entry for session
Connection to localhost closed 

We missed that even -e option failed to report session module name to the 
client.

Comment 3 Darren Tucker 2005-03-19 15:23:18 AEDT

If you deliberately (or otherwise) break your PAM config then there's nothing
much sshd can do about it.  PAM deliberately does not tell the application
anything about the modules involved so sshd has no way of knowing.

BTW the "PAM: pam_open_session()" error sent to the client is only there because
you specified "-e".  Under normal circumstances that would go to syslog.

Comment 4 Ponraj 2005-03-19 21:13:05 AEDT

Following error message is not reported to neither syslog nor user for 
privilege separated user 

error: PAM: pam_open_session(): Can not make/remove entry for session

Comment 5 Darren Tucker 2005-03-20 20:38:30 AEDT

OK, let me rephrase that: it *should* be logged to syslog.  If it's not then
it's probably something that can be fixed.

What are you trying to achieve by disabling libpam_unix in pam.conf?

Comment 6 Darren Tucker 2005-03-20 22:11:18 AEDT

What version of HP-UX is this (ie the "Can not make/remove entry" thing?)  I
can't reproduce on 11.00, it logs this from sshd with privsep=yes:

open_module: stat(/usr/lib/security/libpam_unix.1.not) failed: No such file or
directory
load_modules: can not open module /usr/lib/security/libpam_unix.1.not
error: PAM: pam_open_session(): Can not make/remove entry for session

Comment 7 Darren Tucker 2005-04-24 11:16:33 AEST

The PAM API doesn't provide the information you're asking for so there's no
reasonable way for sshd to do what you're asking.

If you want to deny user logins with a message at particular times then what you
probably want is something like Ethan Benson's pam_noulogin
(http://penguinppc.org/~eb/files/pam-noulogin.tar.gz).

Comment 8 Darren Tucker 2006-10-07 11:39:21 AEST

Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.