Package: openssh-server Version: 1:4.2p1-5 Severity: important Apologies if this was already reported. I went through the PAM bugs and didn't see it, other than as a comment in #63460 which is a different issue.
The Debian PAM mini-policy says: 1) Use the same PAM handle for all operations. This means it is not OK to call pam_start once for authentication and then later for session management. Modules need to be able to store pam_data between entry points. However, openssh-server starts a subprocess to do PAM authentication when ChallengeResponseAuthentication is enabled. It then tries to lift any environment variables set by pam_authenticate to the parent process using pam_getenvlist, but that doesn't do anything for data items set by pam_set_data. This, among other things, breaks the libpam-krb5 currently in unstable. It's possible to work around this by using a temporary disk file for a credential cache, and I've written a workaround, but it's a bit ugly and it would be nice to be able to rely on the Debian PAM mini-policy being followed by all PAM-using applications. I don't really understand why upstream chose to do PAM authentication in such a horribly convoluted way. It would be very nice if openssh-server could be modified to not fork that separate [pam] subprocess and instead do the PAM authentication calls in the parent process. I expect this will break various other PAM modules that rely on the separation between pam_authenticate and pam_setcred. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Versions of packages openssh-server depends on: ii adduser 3.79 Add and remove users and groups ii debconf [debconf-2.0] 1.4.59 Debian configuration management sy ii dpkg 1.13.11.0.1 package maintenance system for Deb ii libc6 2.3.5-8 GNU C Library: Shared libraries an ii libcomerr2 1.38-2 common error description library ii libkrb53 1.4.3-3 MIT Kerberos runtime libraries ii libpam-modules 0.79-3 Pluggable Authentication Modules f ii libpam-runtime 0.79-3 Runtime support for the PAM librar ii libpam0g 0.79-3 Pluggable Authentication Modules l ii libselinux1 1.26-1 SELinux shared libraries ii libssl0.9.8 0.9.8a-3 SSL shared libraries ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii openssh-client 1:4.2p1-5 Secure shell client, an rlogin/rsh ii zlib1g 1:1.2.3-8 compression library - runtime openssh-server recommends no packages. -- debconf information: ssh/insecure_rshd: ssh/insecure_telnetd: ssh/new_config: true * ssh/use_old_init_script: true ssh/encrypted_host_key_but_no_keygen: ssh/disable_cr_auth: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]