https://bugzilla.mindrot.org/show_bug.cgi?id=3723
--- Comment #4 from S Zhang <[email protected]> --- I took a look at the openssh-portable part that handles the session. It appears that when the PAM session failed, we still create a sshd_session, but everything in sshauthopt unset meaning nothing including port forwarding can be done. https://github.com/openssh/openssh-portable/blob/10ccf611ab8ecba9ce6b0548c5ccd8c1220baf92/auth-pam.c#L1220-L1225 https://github.com/openssh/openssh-portable/blob/10ccf611ab8ecba9ce6b0548c5ccd8c1220baf92/auth.c#L763-L780 However the sshd_session that failed PAM for session keeps running with restricted sshauthopt. Systemd saw the running sshd_session owned by the user and created a session under such user for it. While the sshd_session and the ssh client cannot do anything, the sshd_session wait for the user to close the connection to stop the local process. Normally the ssh client attempted to run something and got rejected to initiate the connection close process, but when the ssh client was running with -N set, such thing did not happen, and the sshd_session process persists with the systemd-logind session. I wonder why would such restricted session remain, and why would the sshd side not initiate the close session part but wait for the client side to close the session? Are there any use case where such restricted session useful? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
