https://bugzilla.mindrot.org/show_bug.cgi?id=2399
Bug ID: 2399 Summary: openssh server should fatal out when pam_setcred and pam_open_session fail Product: Portable OpenSSH Version: 6.8p1 Hardware: Sparc OS: Solaris Status: NEW Severity: normal Priority: P5 Component: PAM support Assignee: unassigned-b...@mindrot.org Reporter: huieying....@oracle.com Created attachment 2621 --> https://bugzilla.mindrot.org/attachment.cgi?id=2621&action=edit bug fix to correctly handle pam_setcred and pam_open_session failure Currently, when the system has a PAM module configured for the auth PAM stack that does not actually exist, OpenSSH still allows a user to log in, if user authentication method is not keyboard-interactive or password. For example, in /etc/pam.d/other: auth required pam_dhkeys.so.1 auth required pam_do_not_exist.so.1 <----------- bad auth binding pam_unix_auth.so.1 server_policy In the above situation, pam_setcred() does return an error, but server only give a warning and still allow a user to log in if he/she doesn't use keyboard-interacitve user auth. This is not an expected behavior. OpenSSH server should be changed to exit out when pam_setcred() or pam_open_session() fail. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs