Bug#405041: openssh-server: Problem with pam-stack. Cleanup doesn't call pam_end() after auth failure and breaks pam-abl
Package: openssh-server
Version: 1:4.3p2-7, 1:4.3p2-8
Severity: important
Tags: patch
If the connection to the ssh-server is closed, lost, etc. then
the do_cleanup function in session.c is called. In newer
openssh-server version, e.g. 1:4.3p2-7 a line is modified
if (authctxt == NULL || !authctxt->authenticated)
return;
which returns from cleanup if authctxt->authenticated
is NULL. The openssh_4.3p2.orig contains
if (authctxt == NULL)
return;
If the connection is not authenticated, (e.g. fals password)
then no line after this will be reached and therefore not the
following block
#ifdef USE_PAM
if (options.use_pam) {
sshpam_cleanup();
sshpam_thread_cleanup();
}
#endif
and so no pam-cleanup, which calls pam_end is done. But
this is needed by pam-modules like pam-abl to log
the failed trial.
I suggest to leave the openssh_4.3p2.orig line
if (authctxt == NULL)
return;
or use the following patch, which tests authctxt->authenticated
after pam-cleanup.
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (300, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
--- openssh-4.3p2-debian/session.c 2006-12-23 11:32:15.000000000 +0100
+++ openssh/session.c 2006-12-23 12:54:06.000000000 +0100
@@ -2440,7 +2440,7 @@
return;
called = 1;
- if (authctxt == NULL || !authctxt->authenticated)
+ if (authctxt == NULL)
return;
#ifdef KRB5
if (options.kerberos_ticket_cleanup &&
@@ -2459,6 +2459,8 @@
sshpam_thread_cleanup();
}
#endif
+ if (!authctxt->authenticated)
+ return;
/* remove agent socket */
auth_sock_cleanup_proc(authctxt->pw);
Reply to: