Hi, i have a Gentoo-PC (keyword x86) in a NIS network, ypbind is running, and i have enabled pma_access.so in /etc/pam.d/sshd. /etc/pam.d/sshd now looks like this: #%PAM-1.0 account required pam_access.so auth required pam_stack.so service=system-auth auth required pam_shells.so auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth My /etc/security/access.conf (which is used by pam_access.so) looks like this: +:root:ALL +:wubivipu:ALL -:ALL:ALL That should mean, that only the user "root" and users of the group "wubivipu" can login. Now if one specific account (which is part of the NIS domain) tries to login, the child which forked by sshd segfaults, and the user cannot login. When using password-authentication via SSH, auth.log contains the following entry: fatal: PAM: Authentication thread exited unexpectedly If using public-key-authentication, the sshd-child just dies, and not entry is in the logs. I also recompiled pam-0.77 and openssh-3.8.1_p1-r1. My CFLAGS are (and have always been) very "unagressive": -march=i686 -O2 -pipe I think that this is a bug in either PAM or OpenSSH. I've also used strace to verify that sshd segfaults. Reproducible: Always Steps to Reproduce:
BTW: it seems to matter that wubivipu is a group-name. If i add a line only for that user above the wubivipu-line, it works. Other users in the group wubivipu can login too, only one special user seems to cause that segfault.
you neglected to provide `emerge info` like the bug report page says to
Sorry, here it is: # emerge info Portage 2.0.50-r11 (default-x86-2004.2, gcc-3.3.4, glibc-2.3.3.20040420-r1, 2.6.8.1) ================================================================= System uname: 2.6.8.1 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=i686 -O2 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=i686 -O2 -pipe" DISTDIR="/usr/local/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS=" http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://sunsite.cnlab-switch.ch/ftp/mirror/gentoo ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://sunsite.cnlab-switch.ch/mirror/gentoo" MAKEOPTS="-j1" PKGDIR="/usr/local/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="aalib acl acpi alsa apache2 avi berkdb bitmap-fonts crypt cups curl encode fam foomaticdb gd gd-external gdbm gif gimpprint gmp imlib jpeg libg++ libwww mad matroska mbox mikmod mmx mng mpeg ncurses nls odbc oggvorbis pam pcre pdflib perl png postgres ppds python quicktime readline ruby samba sasl sdl slang spell sse ssl svg tcpd tiff truetype unicode wmf x86 xfs xml2 xprint xvid zlib"
If you need more info, just ask. I think i can mail you a "ypcat group.byname" and a "ypcat passwd", an strace of the segfaulting sshd-child. An addition to what i already said: If the user that causes the segfault is called "testuser", this access.conf still causes segfaults +:root:ALL +:testuser:ALL +:wubivipu:ALL -:ALL:ALL this doesn't: +:testuser:ALL +:root:ALL +:wubivipu:ALL -:ALL:ALL So i guess the segfault happens, when PAM is trying determine which groups the user is in.
if you upgrade your glibc to say 2.3.4.2005xxxx does it keep segfaulting ? there have been some bugs with nis of late that 2.3.4.2005xxxx fixed ...
I believe I've had a similar problem. I'm running x86(stable) and when I upgraded to net-misc/openssh-4.2_p1, even after restarting ssh and the server, users could not log in. It would connect, accept the password (or public key) and then disconnect. If I used -v, the debug log would say the session was established and then I'd lose the connection (I forgot to make a copy of this output, but if needed I'll reproduce it) I solved it by masking the new version. As it stands I currently mask the following ssh packages (/etc/portage/package.mask): =net-misc/openssh-3.9_p1-r3 =net-misc/openssh-3.9_p1-r2 =net-misc/openssh-4.2_p1 Everything is standard about my SSH daemon except for the /etc/pam.d/sshd: #%PAM-1.0 auth include system-auth auth required pam_shells.so auth required pam_nologin.so account required pam_access.so account include system-auth password include system-auth session include system-auth As you can see, I add pam_access.so to restrict access. Here is my emerge info: Portage 2.0.51.22-r3 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r2, 2.6.13-gentoo-r5 i686) ================================================================= System uname: 2.6.13-gentoo-r5 i686 Intel(R) Pentium(R) 4 CPU 2.80GHz Gentoo Base System version 1.12.0_pre10 dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 alsa apache2 apm arts avi berkdb bitmap-fonts bzip2 cdr crypt dvdr eds emacs emboss encode expat foomaticdb fortran gd gdbm gif gpm gstreamer imagemagick imap imlib ipv6 java jpeg ldap libg++ libwww mad maildir mhash mikmod mmx motif mp3 mysql ncurses nls ogg oggvorbis oss pam pcre pdflib perl php png python quicktime readline samba sdl spell sse ssl tcpd tiff truetype truetype-fonts type1-fonts udev vorbis xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS I hope this helps. right now, I can't run anything above openssh-3.8.1_p1-r1 This has been broken for a while now.
The reporter doesnt respond since almost 2 years. This can be closed with NEEDINFO
I don't administrate the computer with that problem anymore. My last experience was, that the problem was gone after this or that update.