Richard A Nelson <[EMAIL PROTECTED]> writes: > I found some odd news! > > After building openssh on a recent Sid box, the pam account module > now works as expected - no segv :) This, along with the fact that > there's a new openssh version (with supposed changes in this area), > makes it seem like getting ssh rebuilt soon is a good idea ! > > However, the session module still blows chunks, and since it is called > by the subordinate (unpriviledged) thread, I don't know how to trap it:
I spent an hour this evening tracking this down. The problem is that Heimdal isn't using symbol versioning in its shared libraries. libpam-heimdal therefore binds to unversioned symbols, which works fine if the calling program doesn't load any other Kerberos library. However, OpenSSH is linked with MIT Kerberos, and therefore at run time the unversioned libpam-heimdal symbols are bound to the MIT Kerberos version of libkrb5 which is already loaded in memory and chaos ensues. valgrind was the debugging tool that finally gave me the necessary clue. The segfault kept showing up with backtraces inside libkrb5.3.3 instead of libkrb5.24.0.0. The specific crashes that you're seeing are inside the profile library calls, but that's just because that's the first significant Kerberos library code that the PAM module calls that differs between MIT Kerberos and Heimdal. This is a bug in the Debian Heimdal packages, I believe. They used to use symbol versioning precisely because of this problem; see Bug#205592 which was closed in 0.6-4. It looks like that was lost or dropped somewhere along the way. I'm copying Brian May on this. I think the bug should probably be reassigned to the heimdal source package. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]