http://bugzilla.mindrot.org/show_bug.cgi?id=839
Summary: Privilege Separation + PAM locks users out
Product: Portable OpenSSH
Version: 3.8p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P1
Component: sshd
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: wgrim@siue.edu
I was having a problem all weekend where UsePrivilegeSeparation was on, and
users were being authenticated through PAM modules.
I would continuously get ssh_exchange_identification errors. Generally this is
a hosts.allow/.deny problem. However, after running into this problem 3 times,
I determined this was not the problem.
The problem has to do with something between sshd and PAM during privilege
separation. I was randomly getting several "sshd: <user> [pam]" processes in my
"ps ax" list. When the maximum unauthenticated connetion limit was reached, no
one could login.
Turning privilege separation off seems to remove the problem. It is also
important to make sure ssh* binaries are not setuid root in this case. Use
SELinux or similar if you feel you need more security.
However, I would like privilege separation fixed.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Summary: Privilege Separation + PAM locks users out
Product: Portable OpenSSH
Version: 3.8p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P1
Component: sshd
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: wgrim@siue.edu
I was having a problem all weekend where UsePrivilegeSeparation was on, and
users were being authenticated through PAM modules.
I would continuously get ssh_exchange_identification errors. Generally this is
a hosts.allow/.deny problem. However, after running into this problem 3 times,
I determined this was not the problem.
The problem has to do with something between sshd and PAM during privilege
separation. I was randomly getting several "sshd: <user> [pam]" processes in my
"ps ax" list. When the maximum unauthenticated connetion limit was reached, no
one could login.
Turning privilege separation off seems to remove the problem. It is also
important to make sure ssh* binaries are not setuid root in this case. Use
SELinux or similar if you feel you need more security.
However, I would like privilege separation fixed.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.