Mailing List Archive

[Bug 3210] New: Confusing errors when pam_acct_mgmt() fails

Bug ID: 3210
Summary: Confusing errors when pam_acct_mgmt() fails
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support

Created attachment 3445
pam: Correctly handle errors from pam_acct_mgmt

The fix for a bug #1188 introduced an unconditional override of return
value from pam_acct_mgmt(), setting PAM_ACCT_EXPIRED on any error from
account step.

It could have been 15 years ago, when there were not any other reasons
why this function could fail, but these days, there are at least
PAM_USER_UNKNOWN and PAM_PERM_DENIED (from Fedora 32 man pages). In
these cases, openssh goes into unexpected code paths giving confusing
error messages, such as:

pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0
tty=ssh ruser= rhost=client user=useruser
debug1: do_pam_account: called
pam_sss(sshd:account): Access denied for user useruser: 6 (Permission
debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
debug3: ssh_msg_send: type 13
debug3: PAM: User account has expired
error: PAM: User account has expired for useruser from client

As far as I read that, I do not see any recovery from either of these
errors worth retrying so I believe we should be fine handling them the
same as expired account though.

The attached is proposed patch, which should handle this use case as
well as the original issue in #1188. Tested in Fedora 32 with with respective return values as well as with expired

You are receiving this mail because:
You are watching the assignee of the bug.
openssh-bugs mailing list