Bug#372680: ssh-krb5: pam_close_session is not being called

Sat, 10 Jun 2006 17:52:05 -0700 

Package: ssh-krb5
Version: 3.8.1p1-10
Severity: important


The pam close session modules are not being called, despite code in
auth-pam.c that seems like it should call them.  After I added some
print statements to the code (having made no other changes), the
variable sshpam_session_open appears a small number of times in the
code:

% grep -R sshpam_session_open .
auth-pam.c:static int sshpam_session_open = 0;
auth-pam.c:     logit("Variable is before check %d", sshpam_session_open);
auth-pam.c:     if (sshpam_session_open) {
        (the pam_close_session call is inside this if statement)
auth-pam.c:             sshpam_session_open = 0;
auth-pam.c:     logit("Variable is before being set %d", sshpam_session_open);
auth-pam.c:     sshpam_session_open = 1;
auth-pam.c:     logit("Variable is after being set %d", sshpam_session_open);

Running the sshd built from this and then logging in and then out
gives the following output in my auth.log, where the 4-second delay
was the length of my login session:

Jun 10 20:33:21 vinegar-pot sshd[9715]: Variable is before being set 0
Jun 10 20:33:21 vinegar-pot sshd[9715]: Variable is after being set 1
Jun 10 20:33:25 vinegar-pot sshd[23685]: Variable is before check 0

Thus, sshpam_session_open is somehow changing from 1 to 0 between
being set and being checked, causing the close session modules to not
be executed.  


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.16.11-grsec
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages ssh-krb5 depends on:
ii  adduser                       3.63       Add and remove users and groups
ii  debconf [debconf-2.0]         1.4.30.13  Debian configuration management sy
ii  libc6                         2.3.6-7    GNU C Library: Shared libraries
ii  libpam-runtime                0.76-22    Runtime support for the PAM librar
ii  libpam0g                      0.76-22    Pluggable Authentication Modules l
ii  libwrap0                      7.6.dbs-8  Wietse Venema's TCP wrappers libra

-- debconf information:
* ssh/privsep_tell:
  ssh/insecure_rshd:
* ssh/privsep_ask: true
  ssh/ssh2_keys_merged:
  ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
* ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: false


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to