Bug#242236: sshd+pam+ldap bug reproduced

To: 242236@bugs.debian.org
Subject: Bug#242236: sshd+pam+ldap bug reproduced
From: Bart Cortooms <bart@il.fontys.nl>
Date: Sun, 11 Apr 2004 16:51:45 +0200
Message-id: <[🔎] 20040411145145.GA19681@hiccup.nl>
Reply-to: Bart Cortooms <bart@il.fontys.nl>, 242236@bugs.debian.org

I can reproduce something very similar with ssh_3.8p1-{2,3}. If I
forcibly disconnect the ssh session of an LDAP user with "<enter>~.",
the sshd fork keeps running and uses all available CPU.

ldapuser  1810 62.6  6.6  6652 1904 ?        R    12:47   0:09 sshd: ldapuser@notty
ldapuser  1811  2.0  0.0     0    0 ?        Z    12:47   0:00 [bash] <defunct>

This only happens if the user logged in with public key authentication,
it does not happen with password authentication. Whether I use nscd or
not does not seem to matter in my case.

Disabling pam_ldap.so in /etc/pam.d/common-sessions fixed this for me.
In /etc/pam.d/common-sessions:

	#session   sufficient      pam_ldap.so
	session    required        pam_unix.so

According to the libpam-ldap changelog, pam_ldap just returns PAM_IGNORE
for pam_sm_{open,close}_session, so pam_unix.so should be enough.

A different workaround is to disable sshd privilege seperation. If I set
UsePrivilegeSeparation to "no" in /etc/ssh/sshd_config, sshd does not
crash when pam_ldap.so is enabled in /etc/pam.d/common-sessions.

-- 
	Bart

Reply to:

Prev by Date: Bug#243012: "Disconnecting: Bad packet length" error after several hours
Next by Date: Bug#243012: "Disconnecting: Bad packet length" error after several hours
Previous by thread: Réponse automatique d'absence du bureau : Thank you for delivery
Next by thread: Bug#243832: ssh: connection closed after 10 minutes
Index(es):
- Date
- Thread