Date: Sat, 11 Aug 2001 01:57:17 +0900 (JST) From: Takanori Saneto <sanewo@ba2.so-net.ne.jp> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/29609: yet another core dump caused by pam_ssh Message-ID: <200108101657.f7AGvHX21567@ba2.so-net.ne.jp>
next in thread | raw e-mail | index | archive | help
>Number: 29609
>Category: bin
>Synopsis: yet another core dump caused by pam_ssh
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Aug 10 10:00:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Takanori Saneto
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
an individual
>Environment:
System: FreeBSD muse.sanewo 5.0-CURRENT FreeBSD 5.0-CURRENT #3: Fri Aug 10 08:39:44 JST 2001 root@:/export/usr.obj/usr/src/sys/MUSE i386
-CURRENT as of 2001/08/10, with following lines in /etc/pam.conf:
xdm auth requisite pam_cleartext_pass_ok.so
xdm auth required pam_nologin.so
xdm auth sufficient pam_ssh.so try_first_pass
xdm auth required pam_unix.so
xdm account required pam_unix.so
xdm session optional pam_ssh.so
xdm session required pam_deny.so
xdm password required pam_deny.so
>Description:
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:
1) xdm dumps core
2) ssh1 private key is not passed to ssh-agent
3) ssh2 RSA key seems not handled properly (just a guess from source)
4) ssh_get_authentication_connectionen() fails to get connection because of
SSH_AUTH_SOCK not defined.
>How-To-Repeat:
With pam.conf shown above, invoke xdm and try to login.
>Fix:
In my environment, following patch seems to fix above problems.
But I'm not sure this is the right way to do, especially for problem
#4. (modifying ssh_get_authentication_connection() so that it takes an
argument for the name of socket file could be better?)
Summary of fix:
1) treatment of environment string was incorrect. does it right as in ports/security/pam_ssh.
2) key type of ssh1 key should be KEY_RSA1, not KEY_RSA.
3) typo fixed (one of KEY_DSA should be KEY_RSA)
4) use putenv() to put SSH_AUTH_SOCK to the environment
Index: pam_ssh.c
===================================================================
RCS file: /export/cvsup/cvs/src/lib/libpam/modules/pam_ssh/pam_ssh.c,v
retrieving revision 1.14
diff -u -u -r1.14 pam_ssh.c
--- pam_ssh.c 2001/08/04 21:51:14 1.14
+++ pam_ssh.c 2001/08/07 14:02:37
@@ -199,7 +199,7 @@
}
pam_auth_dsa = auth_via_key(pamh, KEY_DSA, SSH_CLIENT_ID_DSA, dotdir,
pwd, pass);
- pam_auth_rsa = auth_via_key(pamh, KEY_RSA, SSH_CLIENT_IDENTITY, dotdir,
+ pam_auth_rsa = auth_via_key(pamh, KEY_RSA1, SSH_CLIENT_IDENTITY, dotdir,
pwd, pass);
authenticated = 0;
if (pam_auth_dsa == PAM_SUCCESS)
@@ -234,7 +234,7 @@
/* RSA keys */
else if (strncmp(dotdir_ent->d_name, SSH2_RSA_PREFIX,
strlen(SSH2_RSA_PREFIX)) == 0)
- retval = auth_via_key(pamh, KEY_DSA,
+ retval = auth_via_key(pamh, KEY_RSA,
dotdir_ent->d_name, dotdir, pwd, pass);
/* skip other files */
else
@@ -374,11 +374,11 @@
if (env_fp)
fputs(env_string, env_fp);
env_value = strchr(env_string, '=');
- if (env_value == NULL) {
- env_end = strchr(env_value, ';');
- if (env_end != NULL)
- continue;
- }
+ if (env_value == NULL)
+ continue;
+ env_end = strchr(env_value, ';');
+ if (env_end == NULL)
+ continue;
*env_end = '\0';
/* pass to the application ... */
retval = pam_putenv(pamh, env_string);
@@ -388,6 +388,7 @@
fclose(env_fp);
PAM_RETURN(PAM_SERVICE_ERR);
}
+ (void)putenv(env_string);
*env_value++ = '\0';
if (strcmp(&env_string[strlen(env_string) -
strlen(ENV_SOCKET_SUFFIX)], ENV_SOCKET_SUFFIX) == 0) {
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108101657.f7AGvHX21567>