From stolz@i2.informatik.rwth-aachen.de  Sun May  6 05:39:05 2001
Return-Path: <stolz@i2.informatik.rwth-aachen.de>
Received: from mailout01.sul.t-online.com (mailout01.sul.t-online.com [194.25.134.80])
	by hub.freebsd.org (Postfix) with ESMTP id C77EA37B422
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  6 May 2001 05:39:04 -0700 (PDT)
	(envelope-from stolz@i2.informatik.rwth-aachen.de)
Received: from fwd03.sul.t-online.com 
	by mailout01.sul.t-online.com with smtp 
	id 14wNoZ-0002wY-07; Sun, 06 May 2001 14:39:07 +0200
Received: from theater.dyndns.org (320068889749-0001@[62.226.0.12]) by fmrl03.sul.t-online.com
	with esmtp id 14wNob-1vg7iSC; Sun, 6 May 2001 14:39:09 +0200
Received: from monster.ikea.net (monster.ikea.net [192.168.2.3])
	by theater.dyndns.org (8.11.3/8.11.3) with ESMTP id f46Ccq447792
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 6 May 2001 14:38:53 +0200 (CEST)
	(envelope-from stolz@i2.informatik.rwth-aachen.de)
Received: (from vs@localhost)
	by monster.ikea.net (8.11.3/8.11.1) id f46Ce7119059;
	Sun, 6 May 2001 14:40:07 +0200 (CEST)
	(envelope-from vs)
Message-Id: <200105061240.f46Ce7119059@monster.ikea.net>
Date: Sun, 6 May 2001 14:40:07 +0200 (CEST)
From: stolz@i2.informatik.rwth-aachen.de (Volker Stolz)
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: login(1) doesnt call pam_open_session
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         27153
>Category:       bin
>Synopsis:       session settings in pam.conf are ignored for login(1)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    markm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 06 05:40:01 PDT 2001
>Closed-Date:    Mon Jul 16 00:03:29 PDT 2001
>Last-Modified:  Mon Jul 16 00:04:26 PDT 2001
>Originator:     Volker Stolz
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD monster.ikea.net 4.3-STABLE FreeBSD 4.3-STABLE #0: Sun May 6 11:38:07 CEST 2001 root@monster.ikea.net:/opt/src/sys/compile/MONOMO i386


>Description:
login(1) will not call pam_open_session() and thus all entries regarding the
session-layer of PAM are ignored. This includes pam_ssh which would set up
an ssh-agent-environment.

>How-To-Repeat:
Install /usr/ports/security/pam_ssh, I didnt get OpenSSHs pam_ssh to work.
Modify /etc/pam.conf to include
  login   session required        pam_ssh.so
and log in: You will get no PAM session layer.

>Fix:
A simple fix would be to simply call pam_open_session(). However, this will
trigger another bug regarding login/pam_getenvlist/pam_end. Please check
for a subsequent PR.

>Release-Note:
>Audit-Trail:

From: "David W. Chapman Jr." <dwcjr@inethouston.net>
To: <FreeBSD-gnats-submit@freebsd.org>,
	<stolz@i2.informatik.rwth-aachen.de>
Cc:  
Subject: Re: bin/27153: session settings in pam.conf are ignored for login(1)
Date: Mon, 7 May 2001 11:30:37 -0500

 Was there a patch for this?  I think I'm running into the same problem.
 

From: Peter Pentchev <roam@orbitel.bg>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/27153: login(1) doesn't call pam_open_session
Date: Mon, 7 May 2001 19:32:52 +0300

 I think this should really make it into GNATS, not just the list,
 shouldn't it now..
 
 G'luck,
 Peter
 
 -- 
 This sentence claims to be an Epimenides paradox, but it is lying.
 
 ----- Forwarded message from Volker Stolz <stolz@I2.Informatik.RWTH-Aachen.DE> -----
 
 Date: Sun, 6 May 2001 19:22:23 +0200
 From: Volker Stolz <stolz@I2.Informatik.RWTH-Aachen.DE>
 To: gnats-admin@FreeBSD.org, freebsd-bugs@FreeBSD.org
 Subject: Patch (Re: bin/27153: login(1) doesn't call pam_open_session)
 User-Agent: Mutt/1.3.17i
 In-Reply-To: <200105061240.f46Ce1b15863@freefall.freebsd.org>; from gnats-admin@FreeBSD.org on Sun, May 06, 2001 at 05:40:01AM -0700
 
 This patch works(tm), pam_ssh.so from /usr/src works now, too.
 -- 
 Abstrakte Syntaxtraume.
 Volker Stolz * stolz@i2.informatik.rwth-aachen.de * PGP + S/MIME
 
 --- login.c.orig	Sun May  6 17:02:55 2001
 +++ login.c	Sun May  6 19:18:14 2001
 @@ -132,6 +132,7 @@
  char    full_hostname[MAXHOSTNAMELEN];
  #ifndef NO_PAM
  static char **environ_pam;
 +pam_handle_t *pamh = NULL;
  #endif
  
  int
 @@ -147,6 +148,9 @@
  	int rootok, retries, backoff;
  	int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval;
  	int changepass;
 +#ifndef NO_PAM
 +	int e=PAM_SUCCESS; /* pam_end() error code*/
 +#endif
  	time_t warntime;
  	uid_t uid, euid;
  	gid_t egid;
 @@ -321,6 +325,13 @@
  		 * then fall back to using traditional Unix authentication.
  		 */
  		if ((rval = auth_pam()) == -1)
 +		  if ((pamh) && (e = pam_end(pamh, e)) != PAM_SUCCESS) {
 +		    syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
 +		  }
 +		if (rval == -1) /* auth_pam/ifdef-stupidity :-/
 +				   FIXME: Rewrite auth_pam() to call pam_end()
 +				   on errors instead of just returning.
 +				*/
  #endif /* NO_PAM */
  			rval = auth_traditional();
  
 @@ -560,6 +571,15 @@
  	 */
  	if (environ_pam)
  		export_pam_environment();
 +
 +	/*
 +	 * NOTE: Don't call pam_end()! Otherwise all the resources
 +	 * allocated will be freed. pam_end() is for ending *all*
 +	 * interaction with PAM, i.e. on logout.
 +	 *
 +	 * FIXME: We've got nowhere to call pam_end()/pam_session_close
 +	 * after the user logs out?!
 +	 */
  #endif
  
  	/*
 @@ -677,7 +697,6 @@
  static int
  auth_pam()
  {
 -	pam_handle_t *pamh = NULL;
  	const char *tmpl_user;
  	const void *item;
  	int rval;
 @@ -732,6 +751,7 @@
  		    PAM_SUCCESS)
  			syslog(LOG_ERR, "Couldn't establish credentials: %s",
  			    pam_strerror(pamh, e));
 +		if (pamh) pam_open_session(pamh, 0);
  		environ_pam = pam_getenvlist(pamh);
  		rval = 0;
  		break;
 @@ -747,10 +767,6 @@
  		rval = -1;
  		break;
  	}
 -	if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
 -		syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
 -		rval = -1;
 -	}
  	return rval;
  }
  
 @@ -762,7 +778,7 @@
  	for (pp = environ_pam; *pp != NULL; pp++) {
  		if (ok_to_export(*pp))
  			(void) putenv(*pp);
 -		free(*pp);
 +		/* pp is not ours to free!*/
  	}
  	return PAM_SUCCESS;
  }
 
 
 
 
 ----- End forwarded message -----

From: "David W. Chapman Jr." <poseiden@inethouston.net>
To: freebsd-gnats-submit@FreeBSD.org,
	stolz@i2.informatik.rwth-aachen.de
Cc:  
Subject: Re: bin/27153: session settings in pam.conf are ignored for login(1)
Date: Sat, 12 May 2001 00:02:16 -0500

 I get this error message
 
 login: auth_pam:  Module is unknown
 
 depending on my pam.conf I get
 
 login: no modules loaded for 'login' service
 

From: Volker Stolz <stolz@I2.Informatik.RWTH-Aachen.DE>
To: "David W. Chapman Jr." <poseiden@inethouston.net>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/27153: session settings in pam.conf are ignored for login(1)
Date: Sat, 12 May 2001 11:32:42 +0200

 On Sat, May 12, 2001 at 12:02:16AM -0500, David W. Chapman Jr. wrote:
 > I get this error message
 > login: auth_pam:  Module is unknown
 
 My pam.conf looks like this:
 # If the user can authenticate with S/Key, that's sufficient; allow clear
 # password. Try kerberos, then try plain unix password.
 login   auth    sufficient      pam_skey.so
 login   auth    requisite       pam_cleartext_pass_ok.so
 login   auth    sufficient      pam_ssh.so                      try_first_pass
 #login  auth    sufficient      pam_kerberosIV.so               try_first_pass
 login   auth    required        pam_unix.so                     try_first_pass
 login   account required        pam_unix.so
 login   session required        pam_ssh.so
 
 Do you have pam_ssh.so in /usr/lib?
 -- 
 Abstrakte Syntaxtrume.
 Volker Stolz * stolz@i2.informatik.rwth-aachen.de * PGP + S/MIME
Responsible-Changed-From-To: freebsd-bugs->markm 
Responsible-Changed-By: kris 
Responsible-Changed-When: Thu Jul 12 16:47:23 PDT 2001 
Responsible-Changed-Why:  
Mark is the PAM maintainer 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27153 
State-Changed-From-To: open->closed 
State-Changed-By: markm 
State-Changed-When: Mon Jul 16 00:03:29 PDT 2001 
State-Changed-Why:  
Fixed on Mon Jul 16 00:04:04 PDT 2001 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27153 
>Unformatted:
