Date: Mon, 21 Aug 2006 18:46:26 GMT From: Nathan Whitehorn <nathanw@uchicago.edu> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/102356: net/openldap23-client update breaks pam_ldap + ssh Message-ID: <200608211846.k7LIkQa1094281@www.freebsd.org> Resent-Message-ID: <200608211850.k7LIoF3g055847@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 102356 >Category: ports >Synopsis: net/openldap23-client update breaks pam_ldap + ssh >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Aug 21 18:50:14 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Nathan Whitehorn >Release: 6.1-STABLE >Organization: University of Chicago >Environment: FreeBSD ginger.rh 6.1-STABLE FreeBSD 6.1-STABLE #0: Wed Aug 9 19:43:51 UTC 2006 root@puppetmaster.rh:/usr/obj/usr/src/sys/SMP amd64 >Description: The update to OpenLDAP 2.3.26 breaks sshd when used with pam_ldap (anything else used with pam_ldap works -- might be a threading issue). This occurs only on RELENG_6 worlds built after the beginning of July or so. Reverting to the old OpenLDAP fixes the problem. The error causes sshd to segfault, unless it is in debugging mode. Output to the clients appears: [nathanw@print /etc/pam.d]$ ssh 128.135.221.12 -p 23 Permission denied (publickey,keyboard-interactive). In debugging mode, sshd gives me the following: debug1: PAM: setting PAM_RHOST to "palevsky-221-013.rh.uchicago.edu" debug2: monitor_read: 45 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 48 debug3: mm_answer_pam_init_ctx debug3: PAM: sshpam_init_ctx entering debug3: mm_request_send entering: type 49 debug3: mm_sshpam_query debug3: mm_request_send entering: type 50 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 50 debug3: mm_answer_pam_query debug3: PAM: sshpam_query entering debug3: ssh_msg_recv entering debug3: mm_request_send entering: type 51 debug3: mm_request_receive entering debug3: mm_sshpam_query: pam_query returned -1 debug3: mm_sshpam_free_ctx debug3: mm_request_send entering: type 54 debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX debug3: mm_request_receive_expect entering: type 55 debug3: monitor_read: checking request 54 debug3: mm_request_receive entering debug3: mm_answer_pam_free_ctx debug3: PAM: sshpam_free_ctx entering debug3: PAM: sshpam_thread_cleanup entering debug3: mm_request_send entering: type 55 debug2: monitor_read: 54 used once, disabling now Failed unknown for nathanw from 128.135.221.13 port 54854 ssh2 Failed keyboard-interactive for nathanw from 128.135.221.13 port 54854 ssh2 debug3: mm_request_receive entering Connection closed by 128.135.221.13 debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering >How-To-Repeat: Enable ssh authentication with LDAP: auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass >Fix: Downgrade to OpenLDAP 2.3.25. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608211846.k7LIkQa1094281>