Red Hat Bugzilla – Bug 129328
PAM critical error while logging in via ssh
Last modified: 2007-11-30 17:10:47 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5)
Description of problem:
PAM fails with a critical error when trying to login via SSH after
upgrading to pam-0.77-54. pam-0.77-40 does not exhibit this problem.
Rebuilding both PAM and OpenSSH from source rpms has no effect.
SELinux is not running on the system.
Aug 5 07:16:50 everest sshd: Accepted keyboard-interactive/pam
for xxxxxxxxx from ::ffff:xxx.xxx.xxx.xxx port 2497 ssh2
Aug 5 07:16:50 everest sshd(pam_unix): session opened for user
xxxxxxxxx by (uid=0)
Aug 5 07:16:50 everest sshd: fatal: PAM: pam_setcred():
Critical error - immediate abort
Aug 5 07:16:50 everest sshd(pam_unix): session closed for user
User never finishes getting logged in and to a command prompt.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Upgrade to pam-0.77-54
2. Attempt to login via ssh as any user on the system
Actual Results: Connection closes right away, and the log snippet
above is put in /var/log/messages
Expected Results: Command prompt
stock 2.6.7 kernel
Seems to be a general SELinux problem (if pam is build against
SELinux), because in a non-SELinux environment I'm not able to
Bug still exists in latest pam packages, and openssh packages as of today.
I've gone over our SELinux config multiple times, relabeled the system
completely. The machine is running the latest 188.8.131.52 kernel with
SELinux options turned on.
Please let me know if you need any specific debugging output, etc, and
how to get them, and I will be more then happy to provide them.
I managed to narrow it down to pam-0.77-grubb_leak.patch as the cause
of the pam_setcred errors When built without that patch, everything
functions as expected with no login problems.
Could you please post here contents of your /etc/pam.d/sshd and
Also could you please try latest pam and openssh packages from Fedora
Created attachment 103832 [details]
sshd file for pam
Created attachment 103833 [details]
system-auth file for pam
I'm using pam-0.77-55 and openssh-3.9p1-3, which are from what I see,
both the latest (I've got -55 running right now without the grubb_leak
patch, but have tried it with the patch too, and same problem).
Created attachment 103944 [details]
This should fix it
This patch should probably fix it for you, but I still don't know why it fails
only for you Brian and nobody else.
The problem is that this return value is normally ignored by the processing but
in your case it isn't and I don't know why. Also I'm not sure what's more
correct behaviour - to ignore the value or not.
Has the patch fixed it for you Brian?
Sorry, have been away for the past few days.
Yes, the patch does fix the problem and I am able to login without
seeing the error in the logs.
Problem appears to be fixed in pam-0.77-59.
From the changelog:
* Thu Sep 23 2004 Phil Knirsch <email@example.com> 0.77-59
- Fixed bug in pam_env where wrong initializer was used
And it appears that pam-0.77-defaultconf.patch is what the change was.
I've seen the same problem with rlogin to machine running FC3 test2,
although ssh login worked in my case.
In any case, updating to pam-0.77-59 has fixed the problem.
Yes, but pam-0.77-60 will unfix it again as the fix wasn't exactly right.
The easiest workaround is to touch /etc/environment file.
I've added the attached patch to pam-0.77-61 so it shouldn't be
necessary to ship the /etc/environment file.