Bug#237272: ssh: PAM session optional modules are not called if UsePrivilegeSeparation is off
Package: ssh
Version: 1:3.8p1-1
Severity: normal
Tags: sid
If privilege separation is turned _OFF_ then it seems that the PAM session
modules with "optional" flag are not called, for example:
session optional pam_motd.so
session optional pam_lastlog.so never
session optional pam_mail.so standard noenv
None of these modules was called when the privilege separation was turned
off. However, after turning the priv separation on, everything works as
expected.
To be honest, I can not exactly say if those modules aren't really called,
or if there is some another problem that prevents them from working. But the
effects are obvious - no MOTD is printed, no "You have mail" message is
displayed, exactly as if these modules were entirely ignored.
I must admit I was amused when I detected this problem. Originally, there
have been problems with privilege separation turned on. Now, after upgrading
the PAM code in the SSH and making it compatible with priv separation, it
seems to me that there is even some dependency between each other.
My /etc/ssh/sshd_config (sans commented lines):
Port 22
Protocol 2
UsePrivilegeSeparation yes
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
UsePAM yes
Subsystem sftp /usr/lib/sftp-server
Regards,
Peter
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.25
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to C)
Versions of packages ssh depends on:
ii adduser 3.51 Add and remove users and groups
ii debconf 1.4.14 Debian configuration management sy
ii dpkg 1.10.19 Package maintenance system for Deb
ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an
ii libpam-modules 0.76-15 Pluggable Authentication Modules f
ii libpam-runtime 0.76-15 Runtime support for the PAM librar
ii libpam0g 0.76-15 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7c-5 SSL shared libraries
ii libwrap0 7.6-ipv6.1-3 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.1-4 compression library - runtime
-- debconf information:
* ssh/privsep_tell:
ssh/insecure_rshd:
ssh/privsep_ask: true
* ssh/ssh2_keys_merged:
* ssh/user_environment_tell:
* ssh/forward_warning:
* ssh/insecure_telnetd:
ssh/new_config: true
ssh/ancient_version:
* ssh/use_old_init_script: true
ssh/protocol2_only: true
ssh/rootlogin_warning:
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/upgrade_to_openssh: true
* ssh/SUID_client: false
Reply to: