Summary: | net-mail/dovecot-1.2.11-r1: dovecot-auth using pam_ssh crashes on logins that have a .ssh dir with private key | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Kai Krakow <hurikhan77+bgo> |
Component: | [OLD] Server | Assignee: | PAM Gentoo Team (OBSOLETE) <pam-bugs+disabled> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | atoth, david+gentoo.org, net-mail+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
partial strace log of dovecot-auth (v1.1.7-r1)
Backtrace of dovecot-auth pam_ssh-1.97-dovecot.patch pam_ssh-1.97-r2.ebuild |
Description
Kai Krakow
2009-06-21 10:08:51 UTC
Created attachment 195333 [details]
partial strace log of dovecot-auth (v1.1.7-r1)
Sorry, two more ebuild versions involved: [ebuild R ] sys-auth/pam_ssh-1.92 0 kB [ebuild R ] sys-auth/pambase-20081028 USE="cracklib sha512 ssh -consolekit -debug -gnome-keyring -mktemp -passwdqc (-selinux)" 0 kB Got hit by the same bug. I re-merged pambase with USE="-ssh" and problem i was able to authenticate again. Hit the same one here. I suspect this to be a bug must be solved upstreams. Kai: I see you are running a grsec kernel. In this case you can workaround this by hiding the .ssh directory of the user for the dovecot-auth process. Regards, Dw. (In reply to comment #4) > Kai: I see you are running a grsec kernel. In this case you can workaround this > by hiding the .ssh directory of the user for the dovecot-auth process. While that would work, I would consider that a Würg-Around (spoken in German words, means ugly work around). It's not a very big problem, just one user of about 1000 is affected - and that one is just me. ;-) Do you still have this problem with a current version of dovecot? I'm closing this bug because it is for a pretty old version and there isn't any activity on this bug. Feel free to re-open for the current stable version (1.2.11-r1) or newer. Thanks for understanding. it's caused by pam_ssh, if you remove that from the setup, things work fine. yes, it still crashed a couple months ago. This is still an issue with 1.2.11. I will soon try to create a coredump. (since I found out that it works when one enables suid coredumps) I reopen this bug assuming 1.2.11 being still pretty current on production systems. In reply to comment #8: I want to keep pam_ssh - so this is not an option. BTW: I don't think it is a proper solution to remove software that was installed on intent. i fully agree, i simply ran out of time for debugging what the bad data was that pam_ssh was handing back to dovecot that made it crash. i suspect a null value (In reply to comment #10) > i fully agree, i simply ran out of time for debugging what the bad data was > that pam_ssh was handing back to dovecot that made it crash. i suspect a null > value As far as I figured out the chat parser of dovecot does not handle that pam_ssh yields "Passphrase" instead of "Password" as the password prompt. Created attachment 238747 [details]
Backtrace of dovecot-auth
According to the backtrace the error is within pam_ssh. I removed my username and password from it.
I changed the summary to reflect my current setup (In reply to comment #12) > According to the backtrace the error is within pam_ssh. In that case, pam herd should have a look. Reassigning. Created attachment 241717 [details, diff]
pam_ssh-1.97-dovecot.patch
Created attachment 241719 [details]
pam_ssh-1.97-r2.ebuild
Please check the attached ebuild and patch.
For your ref, diff for the ebuild:
--- pam_ssh-1.97-r1.ebuild 2010-03-31 02:36:03.000000000 +0000
+++ pam_ssh-1.97-r2.ebuild 2010-08-07 06:38:49.000000000 +0000
@@ -1,6 +1,6 @@
# Copyright 1999-2010 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/pam_ssh/pam_ssh-1.97-r1.ebuild,v 1.7 2010/01/17 05:31:51 abcd Exp $
+# $Header: $
EAPI=2
@@ -12,7 +12,8 @@
LICENSE="BSD as-is"
SLOT="0"
-KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-linux ~ia64-linux ~x86-linux"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh
+~sparc ~x86 ~amd64-linux ~ia64-linux ~x86-linux"
IUSE=""
# Doesn't work on OpenPAM.
@@ -24,13 +25,13 @@
src_prepare() {
epatch "${FILESDIR}/${P}-doublefree.patch"
+ epatch "${FILESDIR}/${P}-dovecot.patch"
eautoreconf
}
src_configure() {
econf \
- "--with-pam-dir=$(getpam_mod_dir)" \
- || die "econf failed"
+ "--with-pam-dir=$(getpam_mod_dir)"
}
src_install() {
Comment on attachment 241717 [details, diff]
pam_ssh-1.97-dovecot.patch
Ehm, a bit too hacky...
why did you do that? Does it have problems with symbol collisions? In that case we have better solutions anyway.
Both pam_ssh and dovecot have buffer_free() leading to a collision. True, hacky indeed but... I am open to suggestions. Okay... I'll come up with a saner solution for pam_ssh, but that package really needs some help upstream. Fixed by hiding all the non-PAM-related symbols from the export via LD versioning script. Noted the solution. Thanks. Point taken. Do we need to inherit flag-o-matic? I thought I did ... d'oh! Looks like this fixes the problems with dovecot-auth. Thanks! |