https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Bug ID: 3210
Summary: Confusing errors when pam_acct_mgmt() fails
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support
Assignee: unassigned-bugs@mindrot.org
Reporter: jjelen@redhat.com
Created attachment 3445
--> https://bugzilla.mindrot.org/attachment.cgi?id=3445&action=edit
pam: Correctly handle errors from pam_acct_mgmt
The fix for a bug #1188 introduced an unconditional override of return
value from pam_acct_mgmt(), setting PAM_ACCT_EXPIRED on any error from
account step.
It could have been 15 years ago, when there were not any other reasons
why this function could fail, but these days, there are at least
PAM_USER_UNKNOWN and PAM_PERM_DENIED (from Fedora 32 man pages). In
these cases, openssh goes into unexpected code paths giving confusing
error messages, such as:
pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0
tty=ssh ruser= rhost=client user=useruser
debug1: do_pam_account: called
pam_sss(sshd:account): Access denied for user useruser: 6 (Permission
denied)
debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
debug3: ssh_msg_send: type 13
debug3: PAM: User account has expired
error: PAM: User account has expired for useruser from client
As far as I read that, I do not see any recovery from either of these
errors worth retrying so I believe we should be fine handling them the
same as expired account though.
The attached is proposed patch, which should handle this use case as
well as the original issue in #1188. Tested in Fedora 32 with
pam_debug.so with respective return values as well as with expired
user.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3210
Summary: Confusing errors when pam_acct_mgmt() fails
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support
Assignee: unassigned-bugs@mindrot.org
Reporter: jjelen@redhat.com
Created attachment 3445
--> https://bugzilla.mindrot.org/attachment.cgi?id=3445&action=edit
pam: Correctly handle errors from pam_acct_mgmt
The fix for a bug #1188 introduced an unconditional override of return
value from pam_acct_mgmt(), setting PAM_ACCT_EXPIRED on any error from
account step.
It could have been 15 years ago, when there were not any other reasons
why this function could fail, but these days, there are at least
PAM_USER_UNKNOWN and PAM_PERM_DENIED (from Fedora 32 man pages). In
these cases, openssh goes into unexpected code paths giving confusing
error messages, such as:
pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0
tty=ssh ruser= rhost=client user=useruser
debug1: do_pam_account: called
pam_sss(sshd:account): Access denied for user useruser: 6 (Permission
denied)
debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
debug3: ssh_msg_send: type 13
debug3: PAM: User account has expired
error: PAM: User account has expired for useruser from client
As far as I read that, I do not see any recovery from either of these
errors worth retrying so I believe we should be fine handling them the
same as expired account though.
The attached is proposed patch, which should handle this use case as
well as the original issue in #1188. Tested in Fedora 32 with
pam_debug.so with respective return values as well as with expired
user.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs