Sjoerd Simons wrote:
On Tue, Jun 01, 2004 at 12:16:23AM +1000, Darren Tucker wrote:You said earlier in the bug report that "Also i noticed that this only happens when using X forwarding", however the logs you just sent do not appear to have X forwarding enabled. Do those logs show the problem you're having?Yes it did.. I just recheckt wich or without X forwarding and it didn't seem tomake a difference. But if i do connect without ssh-agent forwarding (-a) the problem doesn't occur..The quote about X forwaring was from March 11, with an older version of ssh. Maybe something has changed to cause it to trigger without X forwarding ?
There's a few changes between 3.8p1 and 3.8.1p1 in the PAM code, but none that leap out at me as the cause of this problem.
Thinking about this some more: when you authenticate via keyboard-interactive, you're authenticating via pam_authenticate(), however when you use public-key, the pam_authenticate call is skipped. (sshd also does some things differently as a result of needing to call pam_authenticate, for reasons I won't go into).
Now I see 2 possibilities: either the things sshd has to do differently trigger the problem, or the fact that pam_authenticate wasn't called upsets pam_ldap.
A couple of days ago I wrote a crude tool[1] to try and figure out what PAM is doing in such cases. If you feel game, you can use it to simulate roughly what sshd is doing. Check it to make sure there's nothing nasty in it, then compile it with "gcc pam-test-harness.c -lpam" and run it as root with "./a.out -u yourusername -s sshd". (The passwords will echo so make sure no-one is watching over your shoulder).
Now, run it again with "-a", which will cause it to not call pam_authenticate and compare its behaviour. If it hangs with -a, it's probably a pam_ldap bug and you have a largish testcase for the PAM developers. If it doesn't hang, then it's probably something in what sshd does different which triggers it, and more investigation of sshd is needed. Either way, please send the output back, minus any passwords or private information.
[1] http://www.zip.com.au/~dtucker/patches/pam-test-harness.c
Theres a description of it at http://www.zip.com.au/~dtucker/patches/
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.