Bug#237272: ssh: PAM session optional modules are not called if UsePrivilegeSeparation is off

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#237272: ssh: PAM session optional modules are not called if UsePrivilegeSeparation is off
From: Peter Paluch <peterp@frix.fri.utc.sk>
Date: Wed, 10 Mar 2004 20:05:23 +0100
Message-id: <[🔎] E1B1919-0003fX-00@frix.fri.utc.sk>
Reply-to: Peter Paluch <peterp@frix.fri.utc.sk>, 237272@bugs.debian.org

Package: ssh
Version: 1:3.8p1-1
Severity: normal
Tags: sid

If privilege separation is turned _OFF_ then it seems that the PAM session
modules with "optional" flag are not called, for example:

session    optional     pam_motd.so
session    optional     pam_lastlog.so  never
session    optional     pam_mail.so standard noenv

None of these modules was called when the privilege separation was turned
off. However, after turning the priv separation on, everything works as
expected.

To be honest, I can not exactly say if those modules aren't really called,
or if there is some another problem that prevents them from working. But the
effects are obvious - no MOTD is printed, no "You have mail" message is
displayed, exactly as if these modules were entirely ignored.

I must admit I was amused when I detected this problem. Originally, there
have been problems with privilege separation turned on. Now, after upgrading
the PAM code in the SSH and making it compatible with priv separation, it
seems to me that there is even some dependency between each other.

My /etc/ssh/sshd_config (sans commented lines):

Port 22
Protocol 2
UsePrivilegeSeparation yes
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
UsePAM yes
Subsystem	sftp	/usr/lib/sftp-server

Regards,
Peter

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.25
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to C)

Versions of packages ssh depends on:
ii  adduser                     3.51         Add and remove users and groups
ii  debconf                     1.4.14       Debian configuration management sy
ii  dpkg                        1.10.19      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-11 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-15      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-15      Runtime support for the PAM librar
ii  libpam0g                    0.76-15      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7c-5     SSL shared libraries
ii  libwrap0                    7.6-ipv6.1-3 Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.1-4    compression library - runtime

-- debconf information:
* ssh/privsep_tell: 
  ssh/insecure_rshd: 
  ssh/privsep_ask: true
* ssh/ssh2_keys_merged: 
* ssh/user_environment_tell: 
* ssh/forward_warning: 
* ssh/insecure_telnetd: 
  ssh/new_config: true
  ssh/ancient_version: 
* ssh/use_old_init_script: true
  ssh/protocol2_only: true
  ssh/rootlogin_warning: 
  ssh/encrypted_host_key_but_no_keygen: 
* ssh/run_sshd: true
* ssh/upgrade_to_openssh: true
* ssh/SUID_client: false

Reply to:

Prev by Date: Bug#117318: CIGARETTE Warehouse - We're Practically Giving Them Away, Wed, 10 Mar 2004 13:53:28 -0500
Next by Date: Bug#237227: A keyboard modifier does not work when ssh does X11 forwarding
Previous by thread: Bug#117318: CIGARETTE Warehouse - We're Practically Giving Them Away, Wed, 10 Mar 2004 13:53:28 -0500
Next by thread: Bug#237392: sshd priv. seperated process get in infinite loop on logout
Index(es):
- Date
- Thread