Bug#242236: sshd+pam+ldap bug reproduced
I can reproduce something very similar with ssh_3.8p1-{2,3}. If I
forcibly disconnect the ssh session of an LDAP user with "<enter>~.",
the sshd fork keeps running and uses all available CPU.
ldapuser 1810 62.6 6.6 6652 1904 ? R 12:47 0:09 sshd: ldapuser@notty
ldapuser 1811 2.0 0.0 0 0 ? Z 12:47 0:00 [bash] <defunct>
This only happens if the user logged in with public key authentication,
it does not happen with password authentication. Whether I use nscd or
not does not seem to matter in my case.
Disabling pam_ldap.so in /etc/pam.d/common-sessions fixed this for me.
In /etc/pam.d/common-sessions:
#session sufficient pam_ldap.so
session required pam_unix.so
According to the libpam-ldap changelog, pam_ldap just returns PAM_IGNORE
for pam_sm_{open,close}_session, so pam_unix.so should be enough.
A different workaround is to disable sshd privilege seperation. If I set
UsePrivilegeSeparation to "no" in /etc/ssh/sshd_config, sshd does not
crash when pam_ldap.so is enabled in /etc/pam.d/common-sessions.
--
Bart
Reply to: