Bug 27153

Summary: session settings in pam.conf are ignored for login(1)
Product: Base System Reporter: stolz <stolz>
Component: binAssignee: Mark Murray <markm>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.3-STABLE   
Hardware: Any   
OS: Any   

Description stolz 2001-05-06 13:40:01 UTC 
login(1) will not call pam_open_session() and thus all entries regarding the
session-layer of PAM are ignored. This includes pam_ssh which would set up
an ssh-agent-environment.

Fix: 

A simple fix would be to simply call pam_open_session(). However, this will
trigger another bug regarding login/pam_getenvlist/pam_end. Please check
for a subsequent PR.
How-To-Repeat: Install /usr/ports/security/pam_ssh, I didn´t get OpenSSH´s pam_ssh to work.
Modify /etc/pam.conf to include
  login   session required        pam_ssh.so
and log in: You will get no PAM session layer.
Comment 1 dwcjr 2001-05-07 17:30:37 UTC 
Was there a patch for this?  I think I'm running into the same problem.
Comment 2 Peter Pentchev 2001-05-07 17:32:52 UTC 
I think this should really make it into GNATS, not just the list,
shouldn't it now..

G'luck,
Peter

-- 
This sentence claims to be an Epimenides paradox, but it is lying.

----- Forwarded message from Volker Stolz <stolz@I2.Informatik.RWTH-Aachen.DE> -----

Date: Sun, 6 May 2001 19:22:23 +0200
From: Volker Stolz <stolz@I2.Informatik.RWTH-Aachen.DE>
To: gnats-admin@FreeBSD.org, freebsd-bugs@FreeBSD.org
Subject: Patch (Re: bin/27153: login(1) doesn't call pam_open_session)
User-Agent: Mutt/1.3.17i
In-Reply-To: <200105061240.f46Ce1b15863@freefall.freebsd.org>; from gnats-admin@FreeBSD.org on Sun, May 06, 2001 at 05:40:01AM -0700

This patch works(tm), pam_ssh.so from /usr/src works now, too.
-- 
Abstrakte Syntaxtraume.
Volker Stolz * stolz@i2.informatik.rwth-aachen.de * PGP + S/MIME

--- login.c.orig	Sun May  6 17:02:55 2001
+++ login.c	Sun May  6 19:18:14 2001
@@ -132,6 +132,7 @@
 char    full_hostname[MAXHOSTNAMELEN];
 #ifndef NO_PAM
 static char **environ_pam;
+pam_handle_t *pamh = NULL;
 #endif
 
 int
@@ -147,6 +148,9 @@
 	int rootok, retries, backoff;
 	int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval;
 	int changepass;
+#ifndef NO_PAM
+	int e=PAM_SUCCESS; /* pam_end() error code*/
+#endif
 	time_t warntime;
 	uid_t uid, euid;
 	gid_t egid;
@@ -321,6 +325,13 @@
 		 * then fall back to using traditional Unix authentication.
 		 */
 		if ((rval = auth_pam()) == -1)
+		  if ((pamh) && (e = pam_end(pamh, e)) != PAM_SUCCESS) {
+		    syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
+		  }
+		if (rval == -1) /* auth_pam/ifdef-stupidity :-/
+				   FIXME: Rewrite auth_pam() to call pam_end()
+				   on errors instead of just returning.
+				*/
 #endif /* NO_PAM */
 			rval = auth_traditional();
 
@@ -560,6 +571,15 @@
 	 */
 	if (environ_pam)
 		export_pam_environment();
+
+	/*
+	 * NOTE: Don't call pam_end()! Otherwise all the resources
+	 * allocated will be freed. pam_end() is for ending *all*
+	 * interaction with PAM, i.e. on logout.
+	 *
+	 * FIXME: We've got nowhere to call pam_end()/pam_session_close
+	 * after the user logs out?!
+	 */
 #endif
 
 	/*
@@ -677,7 +697,6 @@
 static int
 auth_pam()
 {
-	pam_handle_t *pamh = NULL;
 	const char *tmpl_user;
 	const void *item;
 	int rval;
@@ -732,6 +751,7 @@
 		    PAM_SUCCESS)
 			syslog(LOG_ERR, "Couldn't establish credentials: %s",
 			    pam_strerror(pamh, e));
+		if (pamh) pam_open_session(pamh, 0);
 		environ_pam = pam_getenvlist(pamh);
 		rval = 0;
 		break;
@@ -747,10 +767,6 @@
 		rval = -1;
 		break;
 	}
-	if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
-		syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
-		rval = -1;
-	}
 	return rval;
 }
 
@@ -762,7 +778,7 @@
 	for (pp = environ_pam; *pp != NULL; pp++) {
 		if (ok_to_export(*pp))
 			(void) putenv(*pp);
-		free(*pp);
+		/* pp is not ours to free!*/
 	}
 	return PAM_SUCCESS;
 }




----- End forwarded message -----
Comment 3 poseiden 2001-05-12 06:02:16 UTC 
I get this error message

login: auth_pam:  Module is unknown

depending on my pam.conf I get

login: no modules loaded for 'login' service
Comment 4 stolz 2001-05-12 10:32:42 UTC 
On Sat, May 12, 2001 at 12:02:16AM -0500, David W. Chapman Jr. wrote:
> I get this error message
> login: auth_pam:  Module is unknown

My pam.conf looks like this:
# If the user can authenticate with S/Key, that's sufficient; allow clear
# password. Try kerberos, then try plain unix password.
login   auth    sufficient      pam_skey.so
login   auth    requisite       pam_cleartext_pass_ok.so
login   auth    sufficient      pam_ssh.so                      try_first_pass
#login  auth    sufficient      pam_kerberosIV.so               try_first_pass
login   auth    required        pam_unix.so                     try_first_pass
login   account required        pam_unix.so
login   session required        pam_ssh.so

Do you have pam_ssh.so in /usr/lib?
-- 
Abstrakte Syntaxträume.
Volker Stolz * stolz@i2.informatik.rwth-aachen.de * PGP + S/MIME
Comment 5 Kris Kennaway freebsd_committer freebsd_triage 2001-07-13 00:47:23 UTC 
Responsible Changed
From-To: freebsd-bugs->markm

Mark is the PAM maintainer
Comment 6 Mark Murray freebsd_committer freebsd_triage 2001-07-16 08:03:29 UTC 
State Changed
From-To: open->closed

Fixed on Mon Jul 16 00:04:04 PDT 2001