https://bugzilla.mindrot.org/show_bug.cgi?id=2399
Bug ID: 2399
Summary: openssh server should fatal out when pam_setcred and
pam_open_session fail
Product: Portable OpenSSH
Version: 6.8p1
Hardware: Sparc
OS: Solaris
Status: NEW
Severity: normal
Priority: P5
Component: PAM support
Assignee: unassigned-b...@mindrot.org
Reporter: huieying....@oracle.com
Created attachment 2621
--> https://bugzilla.mindrot.org/attachment.cgi?id=2621&action=edit
bug fix to correctly handle pam_setcred and pam_open_session failure
Currently, when the system has a PAM module configured for the auth PAM
stack that does not actually exist, OpenSSH still allows a user to log
in, if user authentication method is not keyboard-interactive or
password.
For example, in /etc/pam.d/other:
auth required pam_dhkeys.so.1
auth required pam_do_not_exist.so.1 <----------- bad
auth binding pam_unix_auth.so.1 server_policy
In the above situation, pam_setcred() does return an error, but
server only give a warning and still allow a user to log in if he/she
doesn't use keyboard-interacitve user auth.
This is not an expected behavior. OpenSSH server should be changed to
exit out when pam_setcred() or pam_open_session() fail.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
