NetBSD Problem Report #58412
From martin@aprisoft.de Wed Jul 10 09:41:59 2024
Return-Path: <martin@aprisoft.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 9556F1A9238
for <gnats-bugs@gnats.NetBSD.org>; Wed, 10 Jul 2024 09:41:59 +0000 (UTC)
Message-Id: <20240710094149.0D2A85CC795@emmas.aprisoft.de>
Date: Wed, 10 Jul 2024 11:41:49 +0200 (CEST)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: ssh update breaks sshd
X-Send-Pr-Version: 3.95
>Number: 58412
>Category: bin
>Synopsis: ssh update breaks sshd
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bin-bug-people
>State: feedback
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jul 10 09:45:00 +0000 2024
>Closed-Date:
>Last-Modified: Tue Oct 08 23:45:01 +0000 2024
>Originator: Martin Husemann
>Release: NetBSD 10.99.11
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD out-of-the-silent-planet.aprisoft.de 10.99.11 NetBSD 10.99.11 (GENERIC64) #451: Wed Jul 10 10:14:12 CEST 2024 martin@seven-days-to-the-wolves.aprisoft.de:/work/src/sys/arch/evbarm/compile/GENERIC64 evbarm
Architecture: aarch64
Machine: evbarm
>Description:
After updating this machine to -current I couldn't log in via ssh any more:
sshd-session[1709]: fatal: sshpam_init: internal error: NULL PAM service name
My /etc/pamd.d is identical to the distributed version.
>How-To-Repeat:
Update a working machine to current, try to log in via ssh.
Setting UsePAM=no in /etc/ssh/sshd_config and restarting sshd works around it.
>Fix:
n/a
>Release-Note:
>Audit-Trail:
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/58412: ssh update breaks sshd
Date: Wed, 10 Jul 2024 12:57:22 +0000 (UTC)
In our src/crypto/external/bsd/openssh/dist/auth-pam.c, we have:
#define SSHD_PAM_SERVICE getprogname()
but, in one of the commit messages leading to 9.8, we read:
```
commit a8fbe2f7d0d96d299ee8e69769e3b51067978748
Author: Damien Miller <djm@mindrot.org>
Date: Thu Jun 13 16:41:29 2024 +1000
sshd: don't use argv[0] as PAM service name
sshd would implicitly use argv[0] as the PAM service name to
allow people to select different PAM service names by making
differently-named copies/links to the sshd binary.
Splitting sshd into sshd/sshd-session broke this, as the process
that starts PAM is always sshd-session and the user has no control
over this.
Hardcode "sshd" as the default PAM service name unless/until we
figure out a better way. Should unbreak OSX integration tests.
```
So, hard-code it to "sshd" or set a `PAMServiceName "sshd"' in sshd_config
as an override.
-RVP
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Wed, 10 Jul 2024 10:42:01 -0400
Module Name: src
Committed By: christos
Date: Wed Jul 10 14:42:01 UTC 2024
Modified Files:
src/crypto/external/bsd/openssh/dist: servconf.c
Log Message:
PR/58412: Martin Husemann: sync with the portable version, adds default
PAMServiceName handling.
To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 src/crypto/external/bsd/openssh/dist/servconf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc: christos@NetBSD.org
Subject: Re: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Wed, 10 Jul 2024 22:40:41 +0000 (UTC)
On Wed, 10 Jul 2024, Christos Zoulas wrote:
> Modified Files:
> src/crypto/external/bsd/openssh/dist: servconf.c
>
> Log Message:
> PR/58412: Martin Husemann: sync with the portable version, adds default
> PAMServiceName handling.
>
Thanks; sshd_config.5 will need merging as well. There's no mention of
PAMServiceName at all there.
-RVP
From: Christos Zoulas <christos@zoulas.com>
To: RVP <rvp@SDF.ORG>
Cc: gnats-bugs@netbsd.org,
"christos@netbsd.org" <christos@NetBSD.org>
Subject: Re: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Sat, 13 Jul 2024 10:26:15 -0400
Unfortunately, there is nothing there either :-(
christos
[10:24am] 37>diff openssh-9.8p1/ssh_config.5 dist
0a1
> .\" $NetBSD: ssh_config.5,v 1.42 2024/07/08 22:33:44 christos Exp $
37c38
< .Dd $Mdocdate: June 17 2024 $
---
> .Dd June 17 2024
1242a1244,1254
> .It Cm IPv6PreferTemporary
> In the absence of an explicitly specified
> .Cm BindAddress ,
> this defines whether to prefer temporary addresses as source address.
> The argument to this can by either
> .Cm yes ,
> meaning to prefer any temporary address, or
> .Cm no ,
> resulting in the use of a permanent address, if available.
> If this option isn't specified,
> the address selection depends on the OS configuration.
1259c1271,1272
< .Cm bsdauth
---
> .Cm bsdauth ,
> .Cm pam ,
1261c1274
< .Cm pam .
---
> .Cm skey .
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc: christos@netbsd.org
Subject: Re: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Sun, 14 Jul 2024 22:11:51 +0000 (UTC)
On Sat, 13 Jul 2024, Christos Zoulas wrote:
> Unfortunately, there is nothing there either :-(
>
Odd. It's there in the portable version's man-page:
```
--- ssh/sshd_config.5 2024-06-24 06:59:39.000000000 +0000
+++ openssh-9.8p1/sshd_config.5 2024-07-01 04:36:28.000000000 +0000
@@ -205,10 +205,9 @@
For keyboard interactive authentication it is also possible to
restrict authentication to a specific device by appending a
colon followed by the device identifier
-.Cm bsdauth ,
-.Cm pam ,
+.Cm bsdauth
or
-.Cm skey ,
+.Cm pam .
depending on the server configuration.
For example,
.Qq keyboard-interactive:bsdauth
@@ -1308,6 +1307,7 @@
.Cm LogLevel ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
+.Cm PAMServiceName ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitListen ,
@@ -1374,10 +1374,17 @@
key exchange methods.
The default is
.Pa /etc/moduli .
+.It Cm PAMServiceName
+Specifies the service name used for Pluggable Authentication Modules (PAM)
+authentication, authorisation and session controls when
+.Cm UsePAM
+is enabled.
+The default is
+.Cm sshd .
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
-.Cm yes .
+.Cm sshd .
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
@@ -1982,6 +1989,30 @@
.Cm Match
.Cm Host
directives.
+.It Cm UsePAM
+Enables the Pluggable Authentication Module interface.
+If set to
+.Cm yes
+this will enable PAM authentication using
+.Cm KbdInteractiveAuthentication
+and
+.Cm PasswordAuthentication
+in addition to PAM account and session module processing for all
+authentication types.
+.Pp
+Because PAM keyboard-interactive authentication usually serves an equivalent
+role to password authentication, you should disable either
+.Cm PasswordAuthentication
+or
+.Cm KbdInteractiveAuthentication .
+.Pp
+If
+.Cm UsePAM
+is enabled, you will not be able to run
+.Xr sshd 8
+as a non-root user.
+The default is
+.Cm no .
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
```
-RVP
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Sun, 21 Jul 2024 16:18:06 -0400
Module Name: src
Committed By: christos
Date: Sun Jul 21 20:18:06 UTC 2024
Modified Files:
src/crypto/external/bsd/openssh/dist: sshd_config.5
Log Message:
PR/58412: RVP: Add more info from the portable man page
To generate a diff of this commit:
cvs rdiff -u -r1.44 -r1.45 src/crypto/external/bsd/openssh/dist/sshd_config.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Tue, 08 Oct 2024 22:00:42 +0000
State-Changed-Why:
Was this fixed? Does it need pullup?
From: Christos Zoulas <christos@zoulas.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org,
"riastradh@netbsd.org" <riastradh@NetBSD.org>,
"martin@netbsd.org" <martin@NetBSD.org>
Subject: Re: bin/58412 (ssh update breaks sshd)
Date: Tue, 8 Oct 2024 18:06:02 -0400
--Apple-Mail=_103D55CE-C930-42AC-B1DE-6D24C22A006A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
It was fixed, we can pull it up; it is just the man page?
christos
> On Oct 8, 2024, at 6:00=E2=80=AFPM, riastradh@netbsd.org =
<riastradh@NetBSD.org> wrote:
>=20
> Synopsis: ssh update breaks sshd
>=20
> State-Changed-From-To: open->feedback
> State-Changed-By: riastradh@NetBSD.org
> State-Changed-When: Tue, 08 Oct 2024 22:00:42 +0000
> State-Changed-Why:
> Was this fixed? Does it need pullup?
>=20
>=20
--Apple-Mail=_103D55CE-C930-42AC-B1DE-6D24C22A006A
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iF0EARECAB0WIQS+BJlbqPkO0MDBdsRxESqxbLM7OgUCZwWsygAKCRBxESqxbLM7
Oq1SAJ0ZQgVS73mcgPdero0VjI+pdOCs/wCgoj/aQsm8Ehgb1MeVi8+ESGGmJro=
=K6Mp
-----END PGP SIGNATURE-----
--Apple-Mail=_103D55CE-C930-42AC-B1DE-6D24C22A006A--
From: Taylor R Campbell <riastradh@NetBSD.org>
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@NetBSD.org, gnats-admin@NetBSD.org,
netbsd-bugs@NetBSD.org, martin@NetBSD.org
Subject: Re: bin/58412 (ssh update breaks sshd)
Date: Tue, 8 Oct 2024 22:08:03 +0000
> Date: Tue, 8 Oct 2024 18:06:02 -0400
> From: Christos Zoulas <christos@zoulas.com>
>
> It was fixed, we can pull it up; it is just the man page?
This looks like more than just man page:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Wed, 10 Jul 2024 10:42:01 -0400
Module Name: src
Committed By: christos
Date: Wed Jul 10 14:42:01 UTC 2024
Modified Files:
src/crypto/external/bsd/openssh/dist: servconf.c
Log Message:
PR/58412: Martin Husemann: sync with the portable version, adds default
PAMServiceName handling.
To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 src/crypto/external/bsd/openssh/dist/servconf.c
From: Christos Zoulas <christos@zoulas.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org,
"martin@netbsd.org" <martin@NetBSD.org>
Subject: Re: bin/58412 (ssh update breaks sshd)
Date: Tue, 8 Oct 2024 19:40:09 -0400
--Apple-Mail=_E964EEF2-038B-44C4-80CB-2E9135514979
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
New ssh is only in HEAD.
christos
> On Oct 8, 2024, at 6:10=E2=80=AFPM, Taylor R Campbell via gnats =
<gnats-admin@NetBSD.org> wrote:
>=20
> The following reply was made to PR bin/58412; it has been noted by =
GNATS.
>=20
> From: Taylor R Campbell <riastradh@NetBSD.org>
> To: Christos Zoulas <christos@zoulas.com>
> Cc: gnats-bugs@NetBSD.org, gnats-admin@NetBSD.org,
> netbsd-bugs@NetBSD.org, martin@NetBSD.org
> Subject: Re: bin/58412 (ssh update breaks sshd)
> Date: Tue, 8 Oct 2024 22:08:03 +0000
>=20
>> Date: Tue, 8 Oct 2024 18:06:02 -0400
>> From: Christos Zoulas <christos@zoulas.com>
>>=20
>> It was fixed, we can pull it up; it is just the man page?
>=20
> This looks like more than just man page:
>=20
> From: "Christos Zoulas" <christos@netbsd.org>
> To: gnats-bugs@gnats.NetBSD.org
> Cc:=20
> Subject: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
> Date: Wed, 10 Jul 2024 10:42:01 -0400
>=20
> Module Name: src
> Committed By: christos
> Date: Wed Jul 10 14:42:01 UTC 2024
>=20
> Modified Files:
> src/crypto/external/bsd/openssh/dist: servconf.c
>=20
> Log Message:
> PR/58412: Martin Husemann: sync with the portable version, adds =
default
> PAMServiceName handling.
>=20
>=20
> To generate a diff of this commit:
> cvs rdiff -u -r1.46 -r1.47 =
src/crypto/external/bsd/openssh/dist/servconf.c
>=20
--Apple-Mail=_E964EEF2-038B-44C4-80CB-2E9135514979
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iF0EARECAB0WIQS+BJlbqPkO0MDBdsRxESqxbLM7OgUCZwXC2gAKCRBxESqxbLM7
OjVVAKCDTZ2ZMATVQrdcnbMRmyoxQzlU3gCfSCFJcBmnDPJpERNd6M2f0UDwaa0=
=ilD7
-----END PGP SIGNATURE-----
--Apple-Mail=_E964EEF2-038B-44C4-80CB-2E9135514979--
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.