Bug 1308 - pam handling change breaks pam_abl module
Summary: pam handling change breaks pam_abl module
Status: CLOSED DUPLICATE of bug 1322
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: PAM support (show other bugs)
Version: 4.6p1
Hardware: UltraSPARC Solaris
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-04-21 05:24 AEST by Andy Feldt
Modified: 2008-04-04 09:59 AEDT (History)
2 users (show)

See Also:


Attachments
syslog output from sshd and pam_abl (3.56 KB, text/plain)
2007-04-21 05:29 AEST, Andy Feldt
no flags Details
Change prevents pam_end from being called with current status. (499 bytes, text/plain)
2007-06-24 03:12 AEST, Tom Cox
no flags Details
proposed patch for v. 4.6p1 (626 bytes, patch)
2007-06-30 00:53 AEST, Andy Feldt
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Feldt 2007-04-21 05:24:20 AEST
In upgrading from OpenSSH-4.3p2 to -4.6p1 we find that the pam_abl module no longer functions properly.  It always has the error status (passed to the cleanup function) set to 0 when pam_end is called now - even if authentication failed.  This functioned properly in 4.3p2.  This is for Solaris 8 on UltraSparc systems.
Comment 1 Andy Feldt 2007-04-21 05:29:20 AEST
Created attachment 1265 [details]
syslog output from sshd and pam_abl
Comment 2 Damien Miller 2007-04-21 10:03:43 AEST
Those cleanup messages are from pam_abl, not sshd. Have you contacted the pam_abl developers?
Comment 3 Andy Armstrong 2007-04-22 11:31:36 AEST
Hi there,

I'm the developer but I don't have access to Solaris to test against. If someone is able to build and test a patched version for me I can probably work out how to fix it.
Comment 4 Andy Feldt 2007-04-22 13:08:16 AEST
I am willing to attempt to test this on one of my Solaris systems.  You can contact me directly via e-mail and we can work on any details.
Comment 5 Andy Armstrong 2007-04-22 13:13:47 AEST
Thanks - Darren Tucker has already offered so I'm going to use his box.
Comment 6 Tom Cox 2007-06-24 03:12:38 AEST
Created attachment 1312 [details]
Change prevents pam_end from being called with current status.

File shows problem introduced in session.c, version 1.346.
Comment 7 Andy Feldt 2007-06-30 00:53:23 AEST
Created attachment 1314 [details]
proposed patch for v. 4.6p1

This patch (based on the previous post) has corrected the
problem on my Solaris 8 systems.  I also still have a set
of patches (based on those for 4.3p2) I apply to deal with
the problem of sessions hanging at exit only for root logins.
(See bug 926 - attachment from Tomas Mraz - this has not made
it into the current version.)
Comment 8 Darren Tucker 2007-08-15 23:29:08 AEST
Patch id #1314 runs the risk of reintroducing the signal handler vulnerability fixed in 4.4 (CVE-2006-5051).  There's a better patch in bug #1322 so I'm closing this one in favour of #1322.  Please add any additional comments there.

*** This bug has been marked as a duplicate of bug 1322 ***
Comment 9 Damien Miller 2008-04-04 09:59:29 AEDT
Close resolved bugs after release.