From nobody@FreeBSD.org  Sat Jun  9 11:19:29 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id BF58A37B401
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  9 Jun 2001 11:19:28 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.3/8.11.3) id f59IJSL11760;
	Sat, 9 Jun 2001 11:19:28 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200106091819.f59IJSL11760@freefall.freebsd.org>
Date: Sat, 9 Jun 2001 11:19:28 -0700 (PDT)
From: wevers@cg.nu
To: freebsd-gnats-submit@FreeBSD.org
Subject: ssh 1 and 2 login with keys is not possible anymore!
X-Send-Pr-Version: www-1.0

>Number:         27991
>Category:       i386
>Synopsis:       ssh 1 and 2 login with keys is not possible anymore!
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 09 11:20:00 PDT 2001
>Closed-Date:    Sat Jul 20 18:09:49 PDT 2002
>Last-Modified:  Sat Jul 20 18:09:49 PDT 2002
>Originator:     Henk Wevers
>Release:        
>Organization:
>Environment:
FreeBSD cg.nu 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri Jun  8 21:54:05 CEST 2001     root@cg.nu:/usr/obj/usr/src/sys/BLAAT  i386
>Description:
If i try to login with ssh or ssh -2 i can NOT login with the keys inserted thru ssh-agent.
if i try to login i do get the following message.
Jun  9 20:17:45 f sshd[1623]: ROOT LOGIN as 'henk' from cg.nu
Jun  9 20:17:45 f sshd[1623]: Accepted rsa for HENK from 10.10.1.1 port 1997
Jun  9 20:17:45 f sshd[1623]: fatal: PAM setcred failed[6]: Permission denied


>How-To-Repeat:
It does also work on a STABLE machine compiled today :((
>Fix:

>Release-Note:
>Audit-Trail:

From: Jens Schweikhardt <Jens.Schweikhardt@marconi.com>
To: freebsd-gnats-submit@FreeBSD.org, wevers@cg.nu
Cc:  
Subject: Re: i386/27991: ssh 1 and 2 login with keys is not possible anymore!
Date: Wed, 20 Jun 2001 16:03:29 +0200

 Have you run mergemaster after building -Stable? Wild guess: it could be
 
 a stale (read: not up-to-date) /etc/pam.conf.
 
 Jens
 
State-Changed-From-To: open->analyzed 
State-Changed-By: schweikh 
State-Changed-When: Wed Jun 20 11:07:41 PDT 2001 
State-Changed-Why:  
Matt Dillon has a temporary workaround until the real bug is identified. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27991 
State-Changed-From-To: analyzed->closed 
State-Changed-By: mp 
State-Changed-When: Sat Jul 20 18:08:03 PDT 2002 
State-Changed-Why:  
Close old bug. The problem was a transient breakage. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=27991 
>Unformatted:

As Matt Dillon writes: (NOTE: patch cut and pasted; does not apply)

    The below patch should temporarily solve the problem until the
    bright boys that broke ssh and/or pam figure out the correct
    fix.  Patch the file in contrib as shown and then do:
  
        cd /usr/src/lib/libpam
        make
        make install
  
    Then restart sshd and you are done.


                                                -Matt

Index: pam_dispatch.c
===================================================================
RCS file: /home/ncvs/src/contrib/libpam/libpam/pam_dispatch.c,v
retrieving revision 1.1.1.1.6.1
diff -u -r1.1.1.1.6.1 pam_dispatch.c
--- pam_dispatch.c      2001/06/07 09:07:32     1.1.1.1.6.1
+++ pam_dispatch.c      2001/06/09 21:48:20
@@ -270,7 +270,7 @@
        break;
     case PAM_SETCRED:
        h = pamh->handlers.conf.setcred;
-       use_cached_chain = 1;
+       use_cached_chain = 0;
        break;
     case PAM_ACCOUNT:
        h = pamh->handlers.conf.acct_mgmt;


