Bug 129328

Summary:

PAM critical error while logging in via ssh

Product:

[Fedora] Fedora

Reporter:

Brian Bruns <bruns>

Component:

pam

Assignee:

Tomas Mraz <tmraz>

Status:

CLOSED RAWHIDE

QA Contact:

Severity:

high

Docs Contact:

Priority:

medium

Version:

rawhide

CC:

redhat-bugzilla, t8m

Target Milestone:

---

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2004-10-14 11:32:25 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

123268

Attachments:

Description	Flags
sshd file for pam	none
system-auth file for pam	none
This should fix it	none

Description Brian Bruns 2004-08-06 15:20:00 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5)
Gecko/20031016 K-Meleon/0.8.2

Description of problem:
PAM fails with a critical error when trying to login via SSH after
upgrading to pam-0.77-54.  pam-0.77-40 does not exhibit this problem.

Rebuilding both PAM and OpenSSH from source rpms has no effect. 
SELinux is not running on the system.

/var/log/messages shows:
Aug  5 07:16:50 everest sshd[19564]: Accepted keyboard-interactive/pam
for xxxxxxxxx from ::ffff:xxx.xxx.xxx.xxx port 2497 ssh2
Aug  5 07:16:50 everest sshd(pam_unix)[19567]: session opened for user
xxxxxxxxx by (uid=0)
Aug  5 07:16:50 everest sshd[19567]: fatal: PAM: pam_setcred():
Critical error - immediate abort
Aug  5 07:16:50 everest sshd(pam_unix)[19567]: session closed for user
xxxxxxxxx

User never finishes getting logged in and to a command prompt.


Version-Release number of selected component (if applicable):
pam-0.77-54

How reproducible:
Always

Steps to Reproduce:
1. Upgrade to pam-0.77-54
2. Attempt to login via ssh as any user on the system
    

Actual Results:  Connection closes right away, and the log snippet
above is put in /var/log/messages

Expected Results:  Command prompt

Additional info:

openssh-3.8.1p1-5
pam-0.77-54
glibc-2.3.3-39
stock 2.6.7 kernel

Comment 1 Robert Scheck 2004-08-06 18:24:06 UTC

Seems to be a general SELinux problem (if pam is build against 
SELinux), because in a non-SELinux environment I'm not able to 
reproduce it.

Comment 2 Brian Bruns 2004-08-30 02:15:01 UTC

Bug still exists in latest pam packages, and openssh packages as of today.

I've gone over our SELinux config multiple times, relabeled the system
completely.  The machine is running the latest 2.6.8.1 kernel with
SELinux options turned on.

Please let me know if you need any specific debugging output, etc, and
how to get them, and I will be more then happy to provide them.

Comment 3 Brian Bruns 2004-09-09 05:10:56 UTC

I managed to narrow it down to pam-0.77-grubb_leak.patch as the cause
of the pam_setcred errors  When built without that patch, everything
functions as expected with no login problems.

Comment 4 Tomas Mraz 2004-09-14 11:25:53 UTC

Could you please post here contents of your /etc/pam.d/sshd and
system-auth files?
Also could you please try latest pam and openssh packages from Fedora
Development?

Comment 5 Brian Bruns 2004-09-14 15:39:32 UTC

Created attachment 103832 [details]
sshd file for pam

Comment 6 Brian Bruns 2004-09-14 15:42:58 UTC

Created attachment 103833 [details]
system-auth file for pam

Comment 7 Brian Bruns 2004-09-14 15:48:39 UTC

I'm using pam-0.77-55 and openssh-3.9p1-3, which are from what I see,
both the latest (I've got -55 running right now without the grubb_leak
patch, but have tried it with the patch too, and same problem).

Comment 8 Tomas Mraz 2004-09-17 13:23:27 UTC

Created attachment 103944 [details]
This should fix it

This patch should probably fix it for you, but I still don't know why it fails
only for you Brian and nobody else. 
The problem is that this return value is normally ignored by the processing but
in your case it isn't and I don't know why. Also I'm not sure what's more
correct behaviour - to ignore the value or not.

Comment 9 Tomas Mraz 2004-09-22 08:17:26 UTC

Has the patch fixed it for you Brian?

Comment 10 Brian Bruns 2004-09-22 14:59:48 UTC

Sorry, have been away for the past few days.

Yes, the patch does fix the problem and I am able to login without
seeing the error in the logs.

Comment 11 Brian Bruns 2004-09-27 04:31:26 UTC

Problem appears to be fixed in pam-0.77-59.

From the changelog:

* Thu Sep 23 2004 Phil Knirsch <pknirsch> 0.77-59
- Fixed bug in pam_env where wrong initializer was used


And it appears that pam-0.77-defaultconf.patch is what the change was.

Comment 12 Ivo 2004-09-28 08:34:54 UTC

I've seen the same problem with rlogin to machine running FC3 test2,
although ssh login worked in my case.
In any case, updating to pam-0.77-59 has fixed the problem.

Comment 13 Tomas Mraz 2004-10-08 12:19:23 UTC

Yes, but pam-0.77-60 will unfix it again as the fix wasn't exactly right.

The easiest workaround is to touch /etc/environment file.

Comment 14 Tomas Mraz 2004-10-11 14:57:00 UTC

I've added the attached patch to pam-0.77-61 so it shouldn't be
necessary to ship the /etc/environment file.