Re: Bug#453241: still broken (and partly openssh's fault)
Richard A Nelson <firstname.lastname@example.org> writes:
> I found some odd news!
> After building openssh on a recent Sid box, the pam account module
> now works as expected - no segv :) This, along with the fact that
> there's a new openssh version (with supposed changes in this area),
> makes it seem like getting ssh rebuilt soon is a good idea !
> However, the session module still blows chunks, and since it is called
> by the subordinate (unpriviledged) thread, I don't know how to trap it:
I spent an hour this evening tracking this down. The problem is that
Heimdal isn't using symbol versioning in its shared libraries.
libpam-heimdal therefore binds to unversioned symbols, which works fine if
the calling program doesn't load any other Kerberos library. However,
OpenSSH is linked with MIT Kerberos, and therefore at run time the
unversioned libpam-heimdal symbols are bound to the MIT Kerberos version
of libkrb5 which is already loaded in memory and chaos ensues. valgrind
was the debugging tool that finally gave me the necessary clue. The
segfault kept showing up with backtraces inside libkrb5.3.3 instead of
The specific crashes that you're seeing are inside the profile library
calls, but that's just because that's the first significant Kerberos
library code that the PAM module calls that differs between MIT Kerberos
This is a bug in the Debian Heimdal packages, I believe. They used to use
symbol versioning precisely because of this problem; see Bug#205592 which
was closed in 0.6-4. It looks like that was lost or dropped somewhere
along the way.
I'm copying Brian May on this. I think the bug should probably be
reassigned to the heimdal source package.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>