Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 839] Privilege Separation + PAM locks users out
bugzilla-daemon at mindrot
Apr 8, 2004, 9:18 PM
Post #1 of 3 (164 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=839

Summary: Privilege Separation + PAM locks users out
Product: Portable OpenSSH
Version: 3.8p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P1
Component: sshd
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: wgrim@siue.edu


I was having a problem all weekend where UsePrivilegeSeparation was on, and
users were being authenticated through PAM modules.

I would continuously get ssh_exchange_identification errors. Generally this is
a hosts.allow/.deny problem. However, after running into this problem 3 times,
I determined this was not the problem.

The problem has to do with something between sshd and PAM during privilege
separation. I was randomly getting several "sshd: <user> [pam]" processes in my
"ps ax" list. When the maximum unauthenticated connetion limit was reached, no
one could login.

Turning privilege separation off seems to remove the problem. It is also
important to make sure ssh* binaries are not setuid root in this case. Use
SELinux or similar if you feel you need more security.

However, I would like privilege separation fixed.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 839] Privilege Separation + PAM locks users out [ In reply to ]
bugzilla-daemon at mindrot
Apr 8, 2004, 9:27 PM
Post #2 of 3 (161 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=839





------- Additional Comments From dtucker@zip.com.au 2004-04-09 15:27 -------
Created an attachment (id=600)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=600&action=view)
Reset thread status

Please try this patch (which has already been committed to -current, auth-pam.c
rev 1.97) or try a snapshot.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 839] Privilege Separation + PAM locks users out [ In reply to ]
bugzilla-daemon at mindrot
Apr 8, 2004, 9:31 PM
Post #3 of 3 (161 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=839





------- Additional Comments From dtucker@zip.com.au 2004-04-09 15:31 -------
BTW the only binary that should be setuid is ssh-keysign (and possibly ssh, but
only if you use a server that requires connections from low-numbered ports, eg
for RSARhosts authentication).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal