Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
OpenSSH-1.2.3: More info on ulimit problem
jmknoble at pobox
Mar 30, 2000, 3:23 AM
Post #1 of 5 (923 views)
Permalink
På 2000-Mar-29 klokka 01:26:32 -0500 skrivet Jim Knoble:

: The ulimit problem appears to have reared its head again with
: openssh-1.2.3, under Red Hat Linux 6.1 (kernel-2.2.12, glibc-2.1.2,
: egcs-1.1.2, openssl-0.9.5, pam-0.68, pwdb-0.60):

[...]

: $ ssh localhost
: Last login: Wed Mar 29 01:10:36 2000 from quipu.earth
: You have mail.
: ulimit: cannot raise limit: Operation not permitted
: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Further info: openssh-1.2.3 appears to be ignoring /etc/pam.d/sshd.
The following pam file ought not to allow me to login via ssh:

#%PAM-1.0
auth required /lib/security/pam_deny.so
account required /lib/security/pam_deny.so
password required /lib/security/pam_deny.so
session required /lib/security/pam_deny.so

Yet, i can still log in as though nothing were wrong. sshd appears to
be linked against the PAM libs:

# ldd /usr/sbin/sshd
libdl.so.2 => /lib/libdl.so.2 (0x40018000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4001c000)
libz.so.1 => /usr/lib/libz.so.1 (0x40032000)
libutil.so.1 => /lib/libutil.so.1 (0x40041000)
libpam.so.0 => /lib/libpam.so.0 (0x40044000)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
libcrypto.so.0 => /usr/lib/libcrypto.so.0 (0x4004c000)
libc.so.6 => /lib/libc.so.6 (0x400fd000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

And i'm certain i didn't build with '--without-pam':

$ grep -B 2 -A 7 '\./configure' openssh.jmk.spec
%build
CFLAGS="${RPM_OPT_FLAGS}" \
./configure \
--prefix="%{Prefix}" \
--sysconfdir="%{EtcDir}" \
--with-ipv4-default \
--with-tcp-wrappers \
--with-default-path="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"

make

I'm mystified. Damien, can you confirm whether anything similar to
this is happening for you under RHL-6.1?

--
jim knoble
jmknoble@pobox.com
Re: OpenSSH-1.2.3: More info on ulimit problem [ In reply to ]
mw at moni
Mar 30, 2000, 9:26 AM
Post #2 of 5 (912 views)
Permalink
On Thu, Mar 30, 2000 at 06:23:57AM -0500, Jim Knoble wrote:
> På 2000-Mar-29 klokka 01:26:32 -0500 skrivet Jim Knoble:
>
> : The ulimit problem appears to have reared its head again with
> : openssh-1.2.3, under Red Hat Linux 6.1 (kernel-2.2.12, glibc-2.1.2,
> : egcs-1.1.2, openssl-0.9.5, pam-0.68, pwdb-0.60):
>
> [...]
>
> : $ ssh localhost
> : Last login: Wed Mar 29 01:10:36 2000 from quipu.earth
> : You have mail.
> : ulimit: cannot raise limit: Operation not permitted
> : ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Further info: openssh-1.2.3 appears to be ignoring /etc/pam.d/sshd.
> The following pam file ought not to allow me to login via ssh:
>
> #%PAM-1.0
> auth required /lib/security/pam_deny.so
> account required /lib/security/pam_deny.so
> password required /lib/security/pam_deny.so
> session required /lib/security/pam_deny.so
>
> Yet, i can still log in as though nothing were wrong. sshd appears to
> be linked against the PAM libs:
>
> # ldd /usr/sbin/sshd
> libdl.so.2 => /lib/libdl.so.2 (0x40018000)
> libnsl.so.1 => /lib/libnsl.so.1 (0x4001c000)
> libz.so.1 => /usr/lib/libz.so.1 (0x40032000)
> libutil.so.1 => /lib/libutil.so.1 (0x40041000)
> libpam.so.0 => /lib/libpam.so.0 (0x40044000)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> libcrypto.so.0 => /usr/lib/libcrypto.so.0 (0x4004c000)
> libc.so.6 => /lib/libc.so.6 (0x400fd000)
> /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
>
> And i'm certain i didn't build with '--without-pam':
>
> $ grep -B 2 -A 7 '\./configure' openssh.jmk.spec
> %build
> CFLAGS="${RPM_OPT_FLAGS}" \
> ./configure \
> --prefix="%{Prefix}" \
> --sysconfdir="%{EtcDir}" \
> --with-ipv4-default \
> --with-tcp-wrappers \
> --with-default-path="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
>
> make
>
> I'm mystified. Damien, can you confirm whether anything similar to
> this is happening for you under RHL-6.1?
>

I am running rh 6.2beta and 6.1, and all is well with pam. When I
tried your sshd pam file, I could not log in.

I am using the official rpms:

rpm -q openss{h,l}
openssh-1.2.3-1
openssl-0.9.4-3


But of course, I can verify the ulimit stuff.

Mate
Re: OpenSSH-1.2.3: More info on ulimit problem [ In reply to ]
djm at mindrot
Mar 31, 2000, 1:42 AM
Post #3 of 5 (905 views)
Permalink
On Thu, 30 Mar 2000, Jim Knoble wrote:

> I'm mystified. Damien, can you confirm whether anything similar to
> this is happening for you under RHL-6.1?

I can't replicate this - a pam_deny.so will indeed lock me out.

You don't have an old binary floating around?

What does "ident `which sshd` | grep pam" say?

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)
Re: OpenSSH-1.2.3: More info on ulimit problem [ In reply to ]
jmknoble at pobox
Mar 31, 2000, 2:04 AM
Post #4 of 5 (909 views)
Permalink
På 2000-Mar-31 klokka 19:42:52 +1000 skrivet Damien Miller:

: On Thu, 30 Mar 2000, Jim Knoble wrote:
:
: > I'm mystified. Damien, can you confirm whether anything similar to
: > this is happening for you under RHL-6.1?
:
: I can't replicate this - a pam_deny.so will indeed lock me out.
:
: You don't have an old binary floating around?

I'm certain i don't; i've never installed ssh or openssh with anything
but RPM on this system (or any other software, for that matter).

: What does "ident `which sshd` | grep pam" say?

Hmmm ... this is interesting:

$ sudo which sshd
/usr/sbin/sshd
$ ident /usr/sbin/sshd |grep pam
$

Also interesting:

$ strings /usr/sbin/sshd |grep pam
libpam.so.0
$

[pause] Nope, no 'pam' anywhere in sshd. Lack of pam stuff in sshd is
obviously the cause of the mysterious behavior i'm seeing, but i'm
rather stumped as to why the pam portion of sshd should think it's
permissible to quietly walk off set during production.

[pause for configuring and compiling of openssh under observation] How
suspicious. A newly compiled binary includes the 'auth-pam' module.
Time for rpm --rebuild.

I'm still rather mystified, but the fault clearly lies somewhere
between chair and magnetic medium. Chalk this one up to the gremlins.

--
jim knoble
jmknoble@pobox.com
Re: OpenSSH-1.2.3: More info on ulimit problem [ In reply to ]
mw at moni
Mar 31, 2000, 9:27 AM
Post #5 of 5 (921 views)
Permalink
On Fri, Mar 31, 2000 at 05:04:25AM -0500, Jim Knoble wrote:
> Hmmm ... this is interesting:
>
> $ sudo which sshd
> /usr/sbin/sshd
> $ ident /usr/sbin/sshd |grep pam
> $

Using the official rpm:

ident /usr/sbin/sshd |grep pam
$Id: auth-pam.c,v 1.2 2000/01/26 23:55:38 damien Exp $

>
> Also interesting:
>
> $ strings /usr/sbin/sshd |grep pam
> libpam.so.0
> $

strings /usr/sbin/sshd |grep pam
libpam.so.0
pam_set_item
pam_strerror
pam_end
pam_start
pam_acct_mgmt
pam_authenticate
pam_setcred
pam_open_session
pam_close_session
pam_getenvlist
@(#)$Id: auth-pam.c,v 1.2 2000/01/26 23:55:38 damien Exp $

Mate

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal