From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031016 K-Meleon/0.8.2 Description of problem: PAM fails with a critical error when trying to login via SSH after upgrading to pam-0.77-54. pam-0.77-40 does not exhibit this problem. Rebuilding both PAM and OpenSSH from source rpms has no effect. SELinux is not running on the system. /var/log/messages shows: Aug 5 07:16:50 everest sshd[19564]: Accepted keyboard-interactive/pam for xxxxxxxxx from ::ffff:xxx.xxx.xxx.xxx port 2497 ssh2 Aug 5 07:16:50 everest sshd(pam_unix)[19567]: session opened for user xxxxxxxxx by (uid=0) Aug 5 07:16:50 everest sshd[19567]: fatal: PAM: pam_setcred(): Critical error - immediate abort Aug 5 07:16:50 everest sshd(pam_unix)[19567]: session closed for user xxxxxxxxx User never finishes getting logged in and to a command prompt. Version-Release number of selected component (if applicable): pam-0.77-54 How reproducible: Always Steps to Reproduce: 1. Upgrade to pam-0.77-54 2. Attempt to login via ssh as any user on the system Actual Results: Connection closes right away, and the log snippet above is put in /var/log/messages Expected Results: Command prompt Additional info: openssh-3.8.1p1-5 pam-0.77-54 glibc-2.3.3-39 stock 2.6.7 kernel
Seems to be a general SELinux problem (if pam is build against SELinux), because in a non-SELinux environment I'm not able to reproduce it.
Bug still exists in latest pam packages, and openssh packages as of today. I've gone over our SELinux config multiple times, relabeled the system completely. The machine is running the latest 2.6.8.1 kernel with SELinux options turned on. Please let me know if you need any specific debugging output, etc, and how to get them, and I will be more then happy to provide them.
I managed to narrow it down to pam-0.77-grubb_leak.patch as the cause of the pam_setcred errors When built without that patch, everything functions as expected with no login problems.
Could you please post here contents of your /etc/pam.d/sshd and system-auth files? Also could you please try latest pam and openssh packages from Fedora Development?
Created attachment 103832 [details] sshd file for pam
Created attachment 103833 [details] system-auth file for pam
I'm using pam-0.77-55 and openssh-3.9p1-3, which are from what I see, both the latest (I've got -55 running right now without the grubb_leak patch, but have tried it with the patch too, and same problem).
Created attachment 103944 [details] This should fix it This patch should probably fix it for you, but I still don't know why it fails only for you Brian and nobody else. The problem is that this return value is normally ignored by the processing but in your case it isn't and I don't know why. Also I'm not sure what's more correct behaviour - to ignore the value or not.
Has the patch fixed it for you Brian?
Sorry, have been away for the past few days. Yes, the patch does fix the problem and I am able to login without seeing the error in the logs.
Problem appears to be fixed in pam-0.77-59. From the changelog: * Thu Sep 23 2004 Phil Knirsch <pknirsch> 0.77-59 - Fixed bug in pam_env where wrong initializer was used And it appears that pam-0.77-defaultconf.patch is what the change was.
I've seen the same problem with rlogin to machine running FC3 test2, although ssh login worked in my case. In any case, updating to pam-0.77-59 has fixed the problem.
Yes, but pam-0.77-60 will unfix it again as the fix wasn't exactly right. The easiest workaround is to touch /etc/environment file.
I've added the attached patch to pam-0.77-61 so it shouldn't be necessary to ship the /etc/environment file.