From owner-freebsd-stable  Mon Jun 11 13:16:28 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from ns.altadena.net (ns.altadena.net [206.126.144.2])
	by hub.freebsd.org (Postfix) with ESMTP id 1F6F137B408
	for <stable@freebsd.org>; Mon, 11 Jun 2001 13:16:16 -0700 (PDT)
	(envelope-from pete@ns.altadena.net)
Received: (from pete@localhost)
	by ns.altadena.net (8.11.3/8.8.8) id f5BKF4M45688
	for stable@freebsd.org; Mon, 11 Jun 2001 13:15:04 -0700 (PDT)
	(envelope-from pete)
From: Pete Carah <pete@ns.altadena.net>
Message-Id: <200106112015.f5BKF4M45688@ns.altadena.net>
Subject: Re: Patch for PAM/ssh problem (was Re: sshd failing 
In-Reply-To: <20010611132736.B14299@vger.bsdhome.com>
To: stable@freebsd.org
Date: Mon, 11 Jun 2001 13:15:04 -0700 (PDT)
References: <200106111552.f5BFqAB20461@earth.backplane.com> <20010611105748.A14299@vger.bsdhome.com>
X-Mailer: ELM [version 2.4ME+ PL68 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=iso8859-1
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Looks like Mark backed the PAM updates out, this morning.  Looks to me 
like they required too many changes to other utilities, like sshd 
(among other things).  He told me that he wasn't prepared to bring 
in *all* the changes yet in an answer to my earlier note about sshd.

Since sshd works in -current (but is V2.9), with the same PAM version,
I presume they handle loading *some* module in the PKI login case
(this appears to be the problem with 2.3-green and the new PAM; either 
no module gets loaded and PAM fails the setcred (perm is the right
error code for this case), or something like pam_unix gets loaded and 
didn't get used (i.e. no auth, and the saved return code defaults to
perm).  I'd presume they need a pam_permit or such in the PKI login case, 
or use pam_ssh (which doesn't appear to be used in -current yet, at 
least in pam.conf)).

I haven't done any tracing of this like Matt has, so may be all 
(or partly) wet...  Thanks, Matt, for the workaround...

-- Pete

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message