In upgrading from OpenSSH-4.3p2 to -4.6p1 we find that the pam_abl module no longer functions properly. It always has the error status (passed to the cleanup function) set to 0 when pam_end is called now - even if authentication failed. This functioned properly in 4.3p2. This is for Solaris 8 on UltraSparc systems.
Created attachment 1265 [details] syslog output from sshd and pam_abl
Those cleanup messages are from pam_abl, not sshd. Have you contacted the pam_abl developers?
Hi there, I'm the developer but I don't have access to Solaris to test against. If someone is able to build and test a patched version for me I can probably work out how to fix it.
I am willing to attempt to test this on one of my Solaris systems. You can contact me directly via e-mail and we can work on any details.
Thanks - Darren Tucker has already offered so I'm going to use his box.
Created attachment 1312 [details] Change prevents pam_end from being called with current status. File shows problem introduced in session.c, version 1.346.
Created attachment 1314 [details] proposed patch for v. 4.6p1 This patch (based on the previous post) has corrected the problem on my Solaris 8 systems. I also still have a set of patches (based on those for 4.3p2) I apply to deal with the problem of sessions hanging at exit only for root logins. (See bug 926 - attachment from Tomas Mraz - this has not made it into the current version.)
Patch id #1314 runs the risk of reintroducing the signal handler vulnerability fixed in 4.4 (CVE-2006-5051). There's a better patch in bug #1322 so I'm closing this one in favour of #1322. Please add any additional comments there. *** This bug has been marked as a duplicate of bug 1322 ***
Close resolved bugs after release.