Re: Running sshd with Privilege Seperation drops connection on password change

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, Dec 17, 2015 at 9:34 AM, Nasim, Kam <Kam.Nasim@xxxxxxxxxxxxx> wrote:
> Hi Darren/Damien,
>
> Sorry for responding so late. Still hope we can get this sorted out.
> Yes I am indeed using PAM for ssh authentication and disabling priv seperation is a no-go for us since it opens up a security loophole.
>
> From what I can see in ptree and auth logs, when the child passwd process returns with SIGCHLD, the parent sshd process terminates.
>
> Sshd logs are as follows as requested at DEBUG3 verbosity. They indicate the ssh, followed by the password change and finally termination of connection:

Despite being asked for them earlier, you still have not provided the
full debug logs, which would tell, amongst other things, what version
of OpenSSH this is.  That said...

[...]
> Dec 16 22:22:13 knasim-ubuntu1 sshd[8623]: debug1: SELinux support disabled

I know of no version of OpenSSH supplied by us that has that message,
so I suspect you are using a modified version.

> Dec 16 22:22:13 knasim-ubuntu1 sshd[8569]: debug3: PAM: sshpam_passwd_conv called with 1 messages
[...]
> Dec 16 22:22:24 knasim-ubuntu1 passwd[8624]: pam_unix(passwd:chauthtok): password changed for nasim

This is working exactly as I described in option #2 earlier: password
authentication followed by execing /bin/passwd.

Your other option is what I described in #1: Disable
PasswordAuthentication in sshd_config and use
ChallengeResponseAuthentication/KbdInteractiveAuthentication.

> Dec 16 22:22:24 knasim-ubuntu1 sshd[8623]: debug1: Received SIGCHLD.
[...]
> Let me know what you guys think.

I think it is working as intended.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux