From oberman@es.net  Sun Aug  9 01:34:52 2009
Return-Path: <oberman@es.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 65B7A106566B
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  9 Aug 2009 01:34:52 +0000 (UTC)
	(envelope-from oberman@es.net)
Received: from postal1.es.net (postal1.es.net [198.128.3.205])
	by mx1.freebsd.org (Postfix) with ESMTP id 53B278FC08
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  9 Aug 2009 01:34:51 +0000 (UTC)
Received: from slan.es.net
        by postal1.es.net (Postal Node 1) with ASMTP (SSL) id QJH98242
        for <FreeBSD-gnats-submit@freebsd.org>; Sat, 08 Aug 2009 18:24:42 -0700
Received: by slan.es.net (Postfix, from userid 9381)
	id 007D95C58; Sat,  8 Aug 2009 18:24:41 -0700 (PDT)
Message-Id: <20090809012442.007D95C58@slan.es.net>
Date: Sat,  8 Aug 2009 18:24:41 -0700 (PDT)
From: Kevin Oberman <oberman@es.net>
Reply-To: Kevin Oberman <oberman@es.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Need to build pam_ssh module even it openssh is not built
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         137586
>Category:       kern
>Synopsis:       [libpam] Need to build pam_ssh module even it openssh is not built
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    des
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 09 01:40:01 UTC 2009
>Closed-Date:    
>Last-Modified:  Sun Aug  9 16:20:03 UTC 2009
>Originator:     Kevin Oberman
>Release:        FreeBSD 8.0-BETA2 i386
>Organization:
>Environment:
System: FreeBSD pak.es.net 8.0-BETA2 FreeBSD 8.0-BETA2 #0: Sat Aug  8 16:32:15 PDT 2009 root@slan.es.net:/usr/obj/usr/src/sys/IBM-T43 i386


	
>Description:
	
When the ports versionm of OpenSSH ind WITHOUT_SSH is used to prevent
over-writing the ports version with the base version when updating the system,
pam_ssh is not made. If this is a fresh build from scratch, this breaks PAM
SSH. If not, the old module will be used which may lack security fixes.
.
>How-To-Repeat:
	
Clean out sources and /usr/obj and add WITHOUT_OPENSSH=YES to /etc/src.conf.
buildworld.
>Fix:
--- lib/libpam/modules/modules.inc.orig	2006-03-17 10:54:27.000000000 -0800
+++ lib/libpam/modules/modules.inc	2009-08-07 13:45:11.000000000 -0700
@@ -26,8 +26,6 @@
 MODULES		+= pam_rootok
 MODULES		+= pam_securetty
 MODULES		+= pam_self
-.if ${MK_OPENSSH} != "no"
 MODULES		+= pam_ssh
-.endif
 MODULES		+= pam_tacplus
 MODULES		+= pam_unix

	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Aug 9 05:24:40 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137586 

From: Mark Linimon <linimon@lonesome.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/137586: [libpam] Need to build pam_ssh module even it
	openssh is not built
Date: Sun, 9 Aug 2009 11:14:41 -0500

 ----- Forwarded message from Dag-Erling Smrgrav <des@des.no> -----
 
 From: Dag-Erling Smrgrav <des@des.no>
 Subject: Re: conf/137586: [libpam] Need to build pam_ssh module even it openssh is not built
 
 I'm sorry, there is no way to build pam_ssh with ssh from ports.  All
 your patch does is break the build when WITHOUT_OPENSSH is defined.
 
 DES
 -- 
 Dag-Erling Smrgrav - des@des.no
 
 ----- End forwarded message -----
>Unformatted:
