Created attachment 1899 [details] test program that shows what kind of ttys are accepted I downloaded openssh 5.5p1 for Solaris 8 x86 from Sunfreeware at ftp://ftp.sunfreeware.com/pub/freeware/intel/8/openssh-5.5p1-sol8-x86-local.gz . If I set the UsePAM setting to yes, then no user is able to login. When the server is running with debugging, the client shows: $ ssh testuser@10.100.3.175 Password: Last login: Fri Jul 16 19:17:14 2010 from kyle-vmserver.c Sun Microsystems Inc. SunOS 5.8 Generic February 2000 debug3: PAM session not opened, exiting Connection to 10.100.3.175 closed. $ The error on the server is: debug3: PAM: opening session PAM: pam_open_session(): Can not make/remove entry for session I have determined the problem is that pam_unix.so.1 does not like the value of PAM_TTY. I see this in the source code: #ifdef PAM_TTY_KLUDGE /* * Some silly PAM modules (e.g. pam_time) require a TTY to operate. * sshd doesn't set the tty until too late in the auth process and * may not even set one (for tty-less connections) */ debug("PAM: setting PAM_TTY to \"ssh\""); sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh"); if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; return (-1); } #endif I can tell that Sunfreeware did define PAM_TTY_KLUDGE, because I see this in the server's debug output: debug1: PAM: setting PAM_TTY to "ssh" I wrote a test program to show that Solaris 8 does not like this value (attached). Here is the output from the program: bash-2.03# gcc -Wall -Werror -lpam try_tty.c -o try_tty bash-2.03# ./try_tty Trying without PAM_TTY set opensession: Can not make/remove entry for session Trying with PAM_TTY set to 'ssh' opensession: Can not make/remove entry for session Trying with PAM_TTY set to '/dev/ssh' opensession: Success bash-2.03# ls -l /dev/ssh /dev/ssh: No such file or directory bash-2.03# cat /etc/release Solaris 8 2/02 s28x_u7wos_08a INTEL Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Assembled 18 December 2001
Created attachment 1900 [details] output of 'showrev -p' on solaris system
Can you reproduce the problem with the vanilla source from www.openssh.com or is it specific to the build supplied by sunfreeware?
Sunfreeware has applied no patches. I compared their source tarball against the one on openssh.com.
Your test program works fine on my solaris 8 (sparc) machine but it doesn't have recent patches. I suspect the problem is either introduced in a patch or specific to the x86 version (unlikely). Changing the kludge to /dev/ssh is a possibility but I am concerned this may impact other platforms negatively.
Created attachment 1906 [details] openssh-pam_tty.patch PAM_TTY_KLUDGE ssh -> /dev/ssh
My Solaris machine does not have the latest patches either. Could you attach the output of 'showrev -p' from your Solaris 8 machine? That command lists the installed patches on the machine. I could compare it with the patches from my system.
Created attachment 1907 [details] showrev -p from my solaris 8/sparc machine
I am not having trouble on Solaris 8 Sparc either. The difficulty is that different patches apply to Sparc and x86. Do you have a Solaris 8 x86 machine to try it on?
we were unable to reproduce this; in the unlikely event that you're still using Solaris 8 on x64 and can reproduce this then we might be able to take another look. If this is the case then please reopen the bug
closing resolved bugs as of 8.6p1 release