[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#405041: openssh-server: Problem with pam-stack. Cleanup doesn't call pam_end() after auth failure and breaks pam-abl

Package: openssh-server
Version: 1:4.3p2-7, 1:4.3p2-8
Severity: important
Tags: patch

If the connection to the ssh-server is closed, lost, etc. then
the do_cleanup function in session.c is called. In newer 
openssh-server version, e.g. 1:4.3p2-7 a line is modified
  if (authctxt == NULL || !authctxt->authenticated)
which returns from cleanup if authctxt->authenticated
is NULL. The openssh_4.3p2.orig contains 
  if (authctxt == NULL)

If the connection is not authenticated, (e.g. fals password)
then no line after this will be reached and therefore not the 
following block
#ifdef USE_PAM
  if (options.use_pam) {
and so no pam-cleanup, which calls pam_end is done. But
this is needed by pam-modules like pam-abl to log
the failed trial.

I suggest to leave the openssh_4.3p2.orig line
  if (authctxt == NULL)
or use the following patch, which tests authctxt->authenticated
after pam-cleanup.

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (300, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

--- openssh-4.3p2-debian/session.c	2006-12-23 11:32:15.000000000 +0100
+++ openssh/session.c	2006-12-23 12:54:06.000000000 +0100
@@ -2440,7 +2440,7 @@
 	called = 1;
-	if (authctxt == NULL || !authctxt->authenticated)
+	if (authctxt == NULL)
 #ifdef KRB5
 	if (options.kerberos_ticket_cleanup &&
@@ -2459,6 +2459,8 @@
+	if (!authctxt->authenticated)
+		return;
 	/* remove agent socket */

Reply to: