Enabling pam_ssh with want_agent in /etc/pam.d/xdm, ssh-agent is started at login but is not killed at logout. I added debug option to the session line and got the following logs on both 11.2-STABLE and 12.0-STABLE. [11.2-STABLE] Feb 18 09:24:50 XXX xdm[7352]: in pam_getenv(): entering: 'SSH_AGENT_PID' Feb 18 09:24:50 XXX xdm[7352]: in openpam_findenv(): entering Feb 18 09:24:50 XXX xdm[7352]: in openpam_findenv(): returning 1 Feb 18 09:24:50 XXX xdm[7352]: in pam_getenv(): returning '7364' Feb 18 09:24:50 XXX xdm[7352]: in pam_sm_close_session(): killing ssh agent 7364 [12.0-STABLE] Feb 18 09:14:04 XXX xdm[4425]: in pam_getenv(): entering: 'SSH_AGENT_PID' Feb 18 09:14:04 XXX xdm[4425]: in openpam_findenv(): entering Feb 18 09:14:04 XXX xdm[4425]: in openpam_findenv(): returning 1 Feb 18 09:14:04 XXX xdm[4425]: in pam_getenv(): returning '=4437' Feb 18 09:14:04 XXX xdm[4425]: in pam_sm_close_session(): invalid ssh agent pid Comparing the both version of /usr/src/contrib/openpam/lib/libpam/pam_getenv.c, I suspect that 12.0-STABLE's pam_getenv() is wrong.
--- a/contrib/openpam/lib/libpam/pam_getenv.c +++ b/contrib/openpam/lib/libpam/pam_getenv.c @@ -70,7 +70,7 @@ pam_getenv(pam_handle_t *pamh, RETURNS(NULL); if ((str = strchr(pamh->env[i], '=')) == NULL) RETURNS(""); - RETURNS(str); + RETURNS(str + 1); } /** Should fix the issue. Seems like it came in with "Vendor import of OpenPAM Radula".
This was independently reported and fixed upstream. I will probably import the patched version sometime next week.
See https://www.openpam.org/wiki/Releases/Tabebuia which I will merge into head shortly.
Committed in r344533.
Cherry pick to stable/12 in https://reviews.freebsd.org/D28528
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=42167258150ebaaade9c09e3dd05ba02249933aa commit 42167258150ebaaade9c09e3dd05ba02249933aa Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2019-02-25 18:41:16 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2021-02-10 02:54:35 +0000 Upgrade to OpenPAM Tabebuia. PR: 235903 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28528 (cherry picked from commit 23d17223345108c52b96dcc5d7e6dab29e95f3e9) contrib/openpam/CREDITS | 1 + contrib/openpam/HISTORY | 9 +- contrib/openpam/LICENSE | 2 +- contrib/openpam/Makefile.in | 39 +- contrib/openpam/RELNOTES | 4 +- contrib/openpam/aclocal.m4 | 192 +++---- contrib/openpam/bin/Makefile.in | 31 +- .../openpam/bin/openpam_dump_policy/Makefile.in | 50 +- contrib/openpam/bin/pamtest/Makefile.in | 46 +- contrib/openpam/bin/pamtest/pamtest.1 | 4 +- contrib/openpam/bin/su/Makefile.in | 46 +- contrib/openpam/bin/su/su.1 | 4 +- contrib/openpam/compile | 13 +- contrib/openpam/config.h.in | 9 +- contrib/openpam/config.sub | 4 +- contrib/openpam/configure | 610 ++++++++++++--------- contrib/openpam/configure.ac | 38 +- contrib/openpam/depcomp | 10 +- contrib/openpam/doc/Makefile.in | 31 +- contrib/openpam/doc/man/Makefile.in | 29 +- contrib/openpam/doc/man/openpam.3 | 2 +- contrib/openpam/doc/man/openpam_borrow_cred.3 | 2 +- contrib/openpam/doc/man/openpam_free_data.3 | 2 +- contrib/openpam/doc/man/openpam_free_envlist.3 | 2 +- contrib/openpam/doc/man/openpam_get_feature.3 | 2 +- contrib/openpam/doc/man/openpam_get_option.3 | 2 +- contrib/openpam/doc/man/openpam_log.3 | 2 +- contrib/openpam/doc/man/openpam_nullconv.3 | 2 +- contrib/openpam/doc/man/openpam_readline.3 | 2 +- contrib/openpam/doc/man/openpam_readlinev.3 | 2 +- contrib/openpam/doc/man/openpam_readword.3 | 2 +- contrib/openpam/doc/man/openpam_restore_cred.3 | 2 +- contrib/openpam/doc/man/openpam_set_feature.3 | 2 +- contrib/openpam/doc/man/openpam_set_option.3 | 2 +- contrib/openpam/doc/man/openpam_straddch.3 | 2 +- contrib/openpam/doc/man/openpam_subst.3 | 2 +- contrib/openpam/doc/man/openpam_ttyconv.3 | 2 +- contrib/openpam/doc/man/pam.3 | 2 +- contrib/openpam/doc/man/pam.conf.5 | 4 +- contrib/openpam/doc/man/pam_acct_mgmt.3 | 2 +- contrib/openpam/doc/man/pam_authenticate.3 | 2 +- contrib/openpam/doc/man/pam_chauthtok.3 | 2 +- contrib/openpam/doc/man/pam_close_session.3 | 2 +- contrib/openpam/doc/man/pam_conv.3 | 4 +- contrib/openpam/doc/man/pam_end.3 | 2 +- contrib/openpam/doc/man/pam_error.3 | 2 +- contrib/openpam/doc/man/pam_get_authtok.3 | 2 +- contrib/openpam/doc/man/pam_get_data.3 | 2 +- contrib/openpam/doc/man/pam_get_item.3 | 2 +- contrib/openpam/doc/man/pam_get_user.3 | 2 +- contrib/openpam/doc/man/pam_getenv.3 | 4 +- contrib/openpam/doc/man/pam_getenvlist.3 | 2 +- contrib/openpam/doc/man/pam_info.3 | 2 +- contrib/openpam/doc/man/pam_open_session.3 | 2 +- contrib/openpam/doc/man/pam_prompt.3 | 2 +- contrib/openpam/doc/man/pam_putenv.3 | 2 +- contrib/openpam/doc/man/pam_set_data.3 | 2 +- contrib/openpam/doc/man/pam_set_item.3 | 2 +- contrib/openpam/doc/man/pam_setcred.3 | 2 +- contrib/openpam/doc/man/pam_setenv.3 | 2 +- contrib/openpam/doc/man/pam_sm_acct_mgmt.3 | 2 +- contrib/openpam/doc/man/pam_sm_authenticate.3 | 2 +- contrib/openpam/doc/man/pam_sm_chauthtok.3 | 2 +- contrib/openpam/doc/man/pam_sm_close_session.3 | 2 +- contrib/openpam/doc/man/pam_sm_open_session.3 | 2 +- contrib/openpam/doc/man/pam_sm_setcred.3 | 2 +- contrib/openpam/doc/man/pam_start.3 | 2 +- contrib/openpam/doc/man/pam_strerror.3 | 2 +- contrib/openpam/doc/man/pam_verror.3 | 2 +- contrib/openpam/doc/man/pam_vinfo.3 | 2 +- contrib/openpam/doc/man/pam_vprompt.3 | 2 +- contrib/openpam/include/Makefile.in | 31 +- contrib/openpam/include/security/Makefile.in | 29 +- contrib/openpam/include/security/openpam_version.h | 8 +- contrib/openpam/install-sh | 4 +- contrib/openpam/lib/Makefile.in | 31 +- contrib/openpam/lib/libpam/Makefile.in | 306 ++++++++--- contrib/openpam/lib/libpam/pam_getenv.c | 21 +- contrib/openpam/m4/ax_pkg_config.m4 (new) | 157 ++++++ contrib/openpam/misc/Makefile.in | 29 +- contrib/openpam/missing | 16 +- contrib/openpam/modules/Makefile.in | 31 +- contrib/openpam/modules/pam_deny/Makefile.in | 71 ++- contrib/openpam/modules/pam_permit/Makefile.in | 71 ++- contrib/openpam/modules/pam_return/Makefile.in | 71 ++- contrib/openpam/modules/pam_unix/Makefile.in | 74 ++- contrib/openpam/t/Makefile.am | 11 +- contrib/openpam/t/Makefile.in | 169 ++++-- contrib/openpam/t/t_pam_env.c (new) | 202 +++++++ contrib/openpam/t/t_pam_err.c (new) | 63 +++ contrib/openpam/t/t_pam_err.h (new) | 44 ++ contrib/openpam/test-driver | 6 +- 92 files changed, 1806 insertions(+), 919 deletions(-)