Sjoerd Simons wrote:
On Tue, Jun 01, 2004 at 12:16:23AM +1000, Darren Tucker wrote:
You said earlier in the bug report that "Also i noticed that this only
happens when using X forwarding", however the logs you just sent do not
appear to have X forwarding enabled. Do those logs show the problem
you're having?
Yes it did.. I just recheckt wich or without X forwarding and it didn't seem to
make a difference. But if i do connect without ssh-agent forwarding (-a) the
problem doesn't occur..
The quote about X forwaring was from March 11, with an older version of ssh.
Maybe something has changed to cause it to trigger without X forwarding ?
There's a few changes between 3.8p1 and 3.8.1p1 in the PAM code, but
none that leap out at me as the cause of this problem.
Thinking about this some more: when you authenticate via
keyboard-interactive, you're authenticating via pam_authenticate(),
however when you use public-key, the pam_authenticate call is skipped.
(sshd also does some things differently as a result of needing to call
pam_authenticate, for reasons I won't go into).
Now I see 2 possibilities: either the things sshd has to do differently
trigger the problem, or the fact that pam_authenticate wasn't called
upsets pam_ldap.
A couple of days ago I wrote a crude tool[1] to try and figure out what
PAM is doing in such cases. If you feel game, you can use it to
simulate roughly what sshd is doing. Check it to make sure there's
nothing nasty in it, then compile it with "gcc pam-test-harness.c -lpam"
and run it as root with "./a.out -u yourusername -s sshd". (The
passwords will echo so make sure no-one is watching over your shoulder).
Now, run it again with "-a", which will cause it to not call
pam_authenticate and compare its behaviour. If it hangs with -a, it's
probably a pam_ldap bug and you have a largish testcase for the PAM
developers. If it doesn't hang, then it's probably something in what
sshd does different which triggers it, and more investigation of sshd is
needed. Either way, please send the output back, minus any passwords or
private information.
[1] http://www.zip.com.au/~dtucker/patches/pam-test-harness.c
Theres a description of it at http://www.zip.com.au/~dtucker/patches/
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
