Bug#278394: marked as done (PAM not run in single address space)
Your message dated Fri, 12 Nov 2004 06:32:17 -0500
with message-id <E1CSZf7-0005lp-00@newraff.debian.org>
and subject line Bug#278394: fixed in openssh 1:3.8.1p1-8.sarge.3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 26 Oct 2004 17:43:48 +0000
>From hartmans@debian.org Tue Oct 26 10:43:48 2004
Return-path: <hartmans@debian.org>
Received: from carter-zimmerman.mit.edu (cz.mit.edu) [18.18.3.197]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CMVMJ-0006lg-00; Tue, 26 Oct 2004 10:43:47 -0700
Received: by cz.mit.edu (Postfix, from userid 8042)
id B11E9160018; Tue, 26 Oct 2004 13:44:01 -0400 (EDT)
To: submit@bugs.debian.org
Subject: PAM not run in single address space
From: Sam Hartman <hartmans@debian.org>
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)
Date: Tue, 26 Oct 2004 13:43:51 -0400
Message-ID: <tslekjlml2g.fsf@cz.mit.edu>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--=-=-=
package: ssh
severity: serious
justification: breaks unrelated packages; violation of pam mini-policy
tags: sarge, sid, patch
Hi. During the ssh 3.7 and 3.8 porting effort I pointed out on
debian-ssh that you needed to be aware of issues surrounding PAM
support in openssh starting with 3.7.
The problem is that the fine folks at openssh had some trouble with
their event loop and decided to spin the pam authentication stuff off
into its own process. This is bad because it breaks pam in several
ways. The primary way is the same authentication handle is not used
for both the pam_authenticate vs pam_open_session/pam_setcred.
This is bad because it prevents pam modules from setting up
credentials and writing them out/enabling them during the set_cred
phase.
It breaks several pam modules, most notably from my standpoint
pam_krb5. It's also a violation of how PAM is intended to be used.
For this reason it is a violation of the Debian PAM mini-policy found
in /usr/share/doc/libpam0g on all Debian systems.
The OpenSSH folks did provide a fix: the -DUSE_POSIX_THREADS compiler
option. Unfortunately this is disabled in the ssh package.
Here's a patch to fix this. I consider this problem fairly serious
and hope we can come to quick agreement on a solution for sarge.
----------------------------------------------------------------------
r228: hartmans | 2004-10-26T17:36:39.333006Z
Enable posix threads for pam so everything is in one address space
----------------------------------------------------------------------
=== trunk/openssh-krb5/debian/rules
==================================================================
--- trunk/openssh-krb5/debian/rules (revision 227)
+++ trunk/openssh-krb5/debian/rules (revision 228)
@@ -64,10 +64,10 @@
mkdir -p build-deb
(cd build-deb && ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 \
--with-privsep-path=/var/run/sshd --without-rand-helper --with-kerberos5=/usr --with-kerberos4=/usr \
- --disable-strip)
+ --disable-strip --with-ldflags='-pthread' )
# Some 2.2 kernels have trouble with setres[ug]id() (bug #239999).
perl -pi -e 's/.*#undef (BROKEN_SETRES[UG]ID).*/#define $$1 1/' build-deb/config.h
- $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_VERSION="\"$(SSH_VERSION)\""' SSH_KEYSIGN='/usr/lib/ssh-keysign'
+ $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -DUSE_POSIX_THREADS -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_VERSION="\"$(SSH_VERSION)\""' SSH_KEYSIGN='/usr/lib/ssh-keysign'
touch build-deb-stamp
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBfozh/I12czyGJg8RAnS/AJwIJDfb1e5G5ckqhMt2OrzyJE8+SgCfVcJ9
6fvWj26ulUoO5IbuG5ZI8OY=
=is7l
-----END PGP SIGNATURE-----
--=-=-=--
---------------------------------------
Received: (at 278394-close) by bugs.debian.org; 12 Nov 2004 11:38:15 +0000
>From katie@ftp-master.debian.org Fri Nov 12 03:38:15 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CSZks-0008El-00; Fri, 12 Nov 2004 03:38:14 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CSZf7-0005lp-00; Fri, 12 Nov 2004 06:32:17 -0500
From: Colin Watson <cjwatson@debian.org>
To: 278394-close@bugs.debian.org
X-Katie: $Revision: 1.51 $
Subject: Bug#278394: fixed in openssh 1:3.8.1p1-8.sarge.3
Message-Id: <E1CSZf7-0005lp-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Fri, 12 Nov 2004 06:32:17 -0500
Delivered-To: 278394-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Source: openssh
Source-Version: 1:3.8.1p1-8.sarge.3
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_3.8.1p1-8.sarge.3_powerpc.udeb
to pool/main/o/openssh/openssh-client-udeb_3.8.1p1-8.sarge.3_powerpc.udeb
openssh-server-udeb_3.8.1p1-8.sarge.3_powerpc.udeb
to pool/main/o/openssh/openssh-server-udeb_3.8.1p1-8.sarge.3_powerpc.udeb
openssh_3.8.1p1-8.sarge.3.diff.gz
to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.3.diff.gz
openssh_3.8.1p1-8.sarge.3.dsc
to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.3.dsc
ssh-askpass-gnome_3.8.1p1-8.sarge.3_powerpc.deb
to pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-8.sarge.3_powerpc.deb
ssh_3.8.1p1-8.sarge.3_powerpc.deb
to pool/main/o/openssh/ssh_3.8.1p1-8.sarge.3_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 278394@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 12 Nov 2004 10:31:12 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-8.sarge.3
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client-udeb - Secure shell client for the Debian installer (udeb)
openssh-server-udeb - Secure shell server for the Debian installer (udeb)
ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 278394 278715 280190
Changes:
openssh (1:3.8.1p1-8.sarge.3) unstable; urgency=low
.
* Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
* debconf template translations:
- Update Dutch (thanks, cobaco; closes: #278715).
* Correct README.Debian's ForwardX11Trusted description (closes: #280190).
Files:
623fbfd12873e27ba874ca02a6f64bab 906 net standard openssh_3.8.1p1-8.sarge.3.dsc
22fa5b7b3232bd7f583be97a54aaf4f6 156186 net standard openssh_3.8.1p1-8.sarge.3.diff.gz
5aa5c9399f90758219e623f3788ba16c 737112 net standard ssh_3.8.1p1-8.sarge.3_powerpc.deb
38b147f7447e86bceafb4af4c759fdea 52588 gnome optional ssh-askpass-gnome_3.8.1p1-8.sarge.3_powerpc.deb
8045bed8de34e0596061b5c1b6835acd 151070 debian-installer optional openssh-client-udeb_3.8.1p1-8.sarge.3_powerpc.udeb
93eadd0ce5c675889492d618573f2fd5 160042 debian-installer optional openssh-server-udeb_3.8.1p1-8.sarge.3_powerpc.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFBlJdR9t0zAhD6TNERAg7MAJ9QWFg+63F4CR+PplXNyqKZ7fkO+wCdF4Q5
+GAUnHdXboZNK3qpHO0gq+I=
=ljgh
-----END PGP SIGNATURE-----
Reply to: