Bug 129328 - PAM critical error while logging in via ssh
Summary: PAM critical error while logging in via ssh
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
Depends On:
Blocks: FC3Target
TreeView+ depends on / blocked
Reported: 2004-08-06 15:19 UTC by Brian Bruns
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2004-10-14 11:32:25 UTC

Attachments (Terms of Use)
sshd file for pam (281 bytes, text/plain)
2004-09-14 15:39 UTC, Brian Bruns
no flags Details
system-auth file for pam (831 bytes, text/plain)
2004-09-14 15:42 UTC, Brian Bruns
no flags Details
This should fix it (422 bytes, patch)
2004-09-17 13:23 UTC, Tomas Mraz
no flags Details | Diff

Description Brian Bruns 2004-08-06 15:20:00 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5)
Gecko/20031016 K-Meleon/0.8.2

Description of problem:
PAM fails with a critical error when trying to login via SSH after
upgrading to pam-0.77-54.  pam-0.77-40 does not exhibit this problem.

Rebuilding both PAM and OpenSSH from source rpms has no effect. 
SELinux is not running on the system.

/var/log/messages shows:
Aug  5 07:16:50 everest sshd[19564]: Accepted keyboard-interactive/pam
for xxxxxxxxx from ::ffff:xxx.xxx.xxx.xxx port 2497 ssh2
Aug  5 07:16:50 everest sshd(pam_unix)[19567]: session opened for user
xxxxxxxxx by (uid=0)
Aug  5 07:16:50 everest sshd[19567]: fatal: PAM: pam_setcred():
Critical error - immediate abort
Aug  5 07:16:50 everest sshd(pam_unix)[19567]: session closed for user

User never finishes getting logged in and to a command prompt.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Upgrade to pam-0.77-54
2. Attempt to login via ssh as any user on the system

Actual Results:  Connection closes right away, and the log snippet
above is put in /var/log/messages

Expected Results:  Command prompt

Additional info:

stock 2.6.7 kernel

Comment 1 Robert Scheck 2004-08-06 18:24:06 UTC
Seems to be a general SELinux problem (if pam is build against 
SELinux), because in a non-SELinux environment I'm not able to 
reproduce it.

Comment 2 Brian Bruns 2004-08-30 02:15:01 UTC
Bug still exists in latest pam packages, and openssh packages as of today.

I've gone over our SELinux config multiple times, relabeled the system
completely.  The machine is running the latest kernel with
SELinux options turned on.

Please let me know if you need any specific debugging output, etc, and
how to get them, and I will be more then happy to provide them.

Comment 3 Brian Bruns 2004-09-09 05:10:56 UTC
I managed to narrow it down to pam-0.77-grubb_leak.patch as the cause
of the pam_setcred errors  When built without that patch, everything
functions as expected with no login problems.

Comment 4 Tomas Mraz 2004-09-14 11:25:53 UTC
Could you please post here contents of your /etc/pam.d/sshd and
system-auth files?
Also could you please try latest pam and openssh packages from Fedora

Comment 5 Brian Bruns 2004-09-14 15:39:32 UTC
Created attachment 103832 [details]
sshd file for pam

Comment 6 Brian Bruns 2004-09-14 15:42:58 UTC
Created attachment 103833 [details]
system-auth file for pam

Comment 7 Brian Bruns 2004-09-14 15:48:39 UTC
I'm using pam-0.77-55 and openssh-3.9p1-3, which are from what I see,
both the latest (I've got -55 running right now without the grubb_leak
patch, but have tried it with the patch too, and same problem).

Comment 8 Tomas Mraz 2004-09-17 13:23:27 UTC
Created attachment 103944 [details]
This should fix it

This patch should probably fix it for you, but I still don't know why it fails
only for you Brian and nobody else. 
The problem is that this return value is normally ignored by the processing but
in your case it isn't and I don't know why. Also I'm not sure what's more
correct behaviour - to ignore the value or not.

Comment 9 Tomas Mraz 2004-09-22 08:17:26 UTC
Has the patch fixed it for you Brian?

Comment 10 Brian Bruns 2004-09-22 14:59:48 UTC
Sorry, have been away for the past few days.

Yes, the patch does fix the problem and I am able to login without
seeing the error in the logs.

Comment 11 Brian Bruns 2004-09-27 04:31:26 UTC
Problem appears to be fixed in pam-0.77-59.

From the changelog:

* Thu Sep 23 2004 Phil Knirsch <pknirsch@redhat.com> 0.77-59
- Fixed bug in pam_env where wrong initializer was used

And it appears that pam-0.77-defaultconf.patch is what the change was.  

Comment 12 Ivo 2004-09-28 08:34:54 UTC
I've seen the same problem with rlogin to machine running FC3 test2,
although ssh login worked in my case.
In any case, updating to pam-0.77-59 has fixed the problem.

Comment 13 Tomas Mraz 2004-10-08 12:19:23 UTC
Yes, but pam-0.77-60 will unfix it again as the fix wasn't exactly right.

The easiest workaround is to touch /etc/environment file.

Comment 14 Tomas Mraz 2004-10-11 14:57:00 UTC
I've added the attached patch to pam-0.77-61 so it shouldn't be
necessary to ship the /etc/environment file.

Note You need to log in before you can comment on or make changes to this bug.