From sanewo@ba2.so-net.ne.jp  Sun Nov  5 01:39:25 2000
Return-Path: <sanewo@ba2.so-net.ne.jp>
Received: from mgate11.so-net.ne.jp (mgate11.so-net.ne.jp [210.139.254.158])
	by hub.freebsd.org (Postfix) with ESMTP id 0B05637B4FE
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  5 Nov 2000 01:39:25 -0800 (PST)
Received: from mail.ba2.so-net.ne.jp (mail.ba2.so-net.ne.jp [210.139.254.21])
	by mgate11.so-net.ne.jp (8.9.3/3.7W00101717) with ESMTP id SAA22404
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 5 Nov 2000 18:39:22 +0900 (JST)
Received: from ba2.so-net.ne.jp (pee4aac.tokynt01.ap.so-net.ne.jp [202.238.74.172])
	by mail.ba2.so-net.ne.jp (8.8.8/3.7W99081617) with ESMTP id SAA00287
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 5 Nov 2000 18:39:21 +0900 (JST)
Received: (from sanewo@localhost)
	by ba2.so-net.ne.jp (8.11.1/8.11.1) id eA59cpi17495;
	Sun, 5 Nov 2000 18:38:51 +0900 (JST)
	(envelope-from sanewo)
Message-Id: <200011050938.eA59cpi17495@ba2.so-net.ne.jp>
Date: Sun, 5 Nov 2000 18:38:51 +0900 (JST)
From: sanewo@ba2.so-net.ne.jp
Reply-To: sanewo@ba2.so-net.ne.jp
To: FreeBSD-gnats-submit@freebsd.org
Subject: pam_ssh dumps core
X-Send-Pr-Version: 3.2

>Number:         22614
>Category:       bin
>Synopsis:       pam_ssh dumps core
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    billf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 05 01:40:00 PST 2000
>Closed-Date:    Wed Mar 31 01:59:06 PST 2004
>Last-Modified:  Wed Mar 31 01:59:06 PST 2004
>Originator:     Takanori Saneto
>Release:        FreeBSD 4.2-BETA i386
>Organization:
an individual
>Environment:

FreeBSD muse.sanewo 4.2-BETA FreeBSD 4.2-BETA #3: Fri Nov  3 10:25:50 JST 2000     sanewo:/usr/obj/usr/src/sys/MUSE  i386

>Description:

Whan pam_ssh.so is invoked (somehow) by xdm, it will dump core because of incorrect argument
passing in pam_sm_open_session for ssh_add_identity (as compiler warns as follows).

cc -O -pipe -Wall -I/usr/src/lib/libpam/modules/pam_ssh/../../../../crypto/openssh -c /usr/src/lib/libpam/modules/pam_ssh/../../../../crypto/openssh/pam_ssh/pam_ssh.c -o pam_ssh.o
/usr/src/lib/libpam/modules/pam_ssh/../../../../crypto/openssh/pam_ssh/pam_ssh.c: In function `pam_sm_open_session':
/usr/src/lib/libpam/modules/pam_ssh/../../../../crypto/openssh/pam_ssh/pam_ssh.c:446: warning: passing arg 2 of `ssh_add_identity' from incompatible pointer type

>How-To-Repeat:

After applying patch which I sent as another PR ("fix for xdm to cope with PAM") and
modifying /etc/pam.conf as follows:

xdm	account	required	pam_unix.so			try_first_pass
xdm	auth	requisite	pam_cleartext_pass_ok.so
xdm	auth	sufficient	pam_ssh.so			try_first_pass
xdm	auth	required	pam_unix.so
xdm	password required	pam_deny.so
xdm	session	optional	pam_ssh.so
xdm	session	required	pam_deny.so

logging in with xdm cause immediate core dump.

>Fix:

Following patch will fix the problem. (both -stable and -current)

Index: crypto/openssh/pam_ssh/pam_ssh.c
===================================================================
RCS file: /export/cvsup/cvs/src/crypto/openssh/pam_ssh/pam_ssh.c,v
retrieving revision 1.3.2.2
diff -u -r1.3.2.2 pam_ssh.c
--- crypto/openssh/pam_ssh/pam_ssh.c    2000/10/28 23:01:02     1.3.2.2
+++ crypto/openssh/pam_ssh/pam_ssh.c    2000/11/05 07:24:45
@@ -443,7 +443,7 @@
                env_destroy(ssh_env);
                return PAM_SESSION_ERR;
        }
-       retval = ssh_add_identity(ac, key.rsa, comment);
+       retval = ssh_add_identity(ac, &key, comment);
        ssh_close_authentication_connection(ac);
        env_swap(ssh_env, 0);
        return retval ? PAM_SUCCESS : PAM_SESSION_ERR;


BTW, I found that ports/security/openssh/files/pam_ssh.c is already fixed this way.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->green 
Responsible-Changed-By: billf 
Responsible-Changed-When: Fri Nov 24 17:40:59 PST 2000 
Responsible-Changed-Why:  
green is investigating this one 

http://www.freebsd.org/cgi/query-pr.cgi?pr=22614 
Responsible-Changed-From-To: green->billf 
Responsible-Changed-By: billf 
Responsible-Changed-When: Fri Nov 24 17:42:06 PST 2000 
Responsible-Changed-Why:  
I'm committing this one with green's approval, rather. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=22614 
State-Changed-From-To: open->closed 
State-Changed-By: billf 
State-Changed-When: Wed Mar 31 01:58:45 PST 2004 
State-Changed-Why:  
overcome by events. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=22614 
>Unformatted:
