NetBSD Problem Report #58412

From martin@aprisoft.de  Wed Jul 10 09:41:59 2024
Return-Path: <martin@aprisoft.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 9556F1A9238
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 10 Jul 2024 09:41:59 +0000 (UTC)
Message-Id: <20240710094149.0D2A85CC795@emmas.aprisoft.de>
Date: Wed, 10 Jul 2024 11:41:49 +0200 (CEST)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: ssh update breaks sshd
X-Send-Pr-Version: 3.95

>Number:         58412
>Category:       bin
>Synopsis:       ssh update breaks sshd
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          feedback
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jul 10 09:45:00 +0000 2024
>Closed-Date:    
>Last-Modified:  Tue Oct 08 23:45:01 +0000 2024
>Originator:     Martin Husemann
>Release:        NetBSD 10.99.11
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD out-of-the-silent-planet.aprisoft.de 10.99.11 NetBSD 10.99.11 (GENERIC64) #451: Wed Jul 10 10:14:12 CEST 2024 martin@seven-days-to-the-wolves.aprisoft.de:/work/src/sys/arch/evbarm/compile/GENERIC64 evbarm
Architecture: aarch64
Machine: evbarm
>Description:

After updating this machine to -current I couldn't log in via ssh any more:

sshd-session[1709]: fatal: sshpam_init: internal error: NULL PAM service name

My /etc/pamd.d is identical to the distributed version.

>How-To-Repeat:

Update a working machine to current, try to log in via ssh.

Setting UsePAM=no in /etc/ssh/sshd_config and restarting sshd works around it.

>Fix:
n/a

>Release-Note:

>Audit-Trail:
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/58412: ssh update breaks sshd
Date: Wed, 10 Jul 2024 12:57:22 +0000 (UTC)

 In our src/crypto/external/bsd/openssh/dist/auth-pam.c, we have:

 #define SSHD_PAM_SERVICE		getprogname()

 but, in one of the commit messages leading to 9.8, we read:

 ```
 commit a8fbe2f7d0d96d299ee8e69769e3b51067978748
 Author: Damien Miller <djm@mindrot.org>
 Date:   Thu Jun 13 16:41:29 2024 +1000

      sshd: don't use argv[0] as PAM service name

      sshd would implicitly use argv[0] as the PAM service name to
      allow people to select different PAM service names by making
      differently-named copies/links to the sshd binary.

      Splitting sshd into sshd/sshd-session broke this, as the process
      that starts PAM is always sshd-session and the user has no control
      over this.

      Hardcode "sshd" as the default PAM service name unless/until we
      figure out a better way. Should unbreak OSX integration tests.
 ```

 So, hard-code it to "sshd" or set a `PAMServiceName "sshd"' in sshd_config
 as an override.

 -RVP

From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Wed, 10 Jul 2024 10:42:01 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Wed Jul 10 14:42:01 UTC 2024

 Modified Files:
 	src/crypto/external/bsd/openssh/dist: servconf.c

 Log Message:
 PR/58412: Martin Husemann: sync with the portable version, adds default
 PAMServiceName handling.


 To generate a diff of this commit:
 cvs rdiff -u -r1.46 -r1.47 src/crypto/external/bsd/openssh/dist/servconf.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc: christos@NetBSD.org
Subject: Re: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Wed, 10 Jul 2024 22:40:41 +0000 (UTC)

 On Wed, 10 Jul 2024, Christos Zoulas wrote:

 > Modified Files:
 > 	src/crypto/external/bsd/openssh/dist: servconf.c
 >
 > Log Message:
 > PR/58412: Martin Husemann: sync with the portable version, adds default
 > PAMServiceName handling.
 >

 Thanks; sshd_config.5 will need merging as well. There's no mention of
 PAMServiceName at all there.

 -RVP

From: Christos Zoulas <christos@zoulas.com>
To: RVP <rvp@SDF.ORG>
Cc: gnats-bugs@netbsd.org,
 "christos@netbsd.org" <christos@NetBSD.org>
Subject: Re: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Sat, 13 Jul 2024 10:26:15 -0400

 Unfortunately, there is nothing there either :-(

 christos

 [10:24am] 37>diff openssh-9.8p1/ssh_config.5 dist
 0a1
 > .\"  $NetBSD: ssh_config.5,v 1.42 2024/07/08 22:33:44 christos Exp $
 37c38
 < .Dd $Mdocdate: June 17 2024 $
 ---
 > .Dd June 17 2024
 1242a1244,1254
 > .It Cm IPv6PreferTemporary
 > In the absence of an explicitly specified
 > .Cm BindAddress ,
 > this defines whether to prefer temporary addresses as source address.
 > The argument to this can by either
 > .Cm yes ,
 > meaning to prefer any temporary address, or
 > .Cm no ,
 > resulting in the use of a permanent address, if available.
 > If this option isn't specified,
 > the address selection depends on the OS configuration.
 1259c1271,1272
 < .Cm bsdauth
 ---
 > .Cm bsdauth ,
 > .Cm pam ,
 1261c1274
 < .Cm pam .
 ---
 > .Cm skey .

From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc: christos@netbsd.org
Subject: Re: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Sun, 14 Jul 2024 22:11:51 +0000 (UTC)

 On Sat, 13 Jul 2024, Christos Zoulas wrote:

 > Unfortunately, there is nothing there either :-(
 >

 Odd. It's there in the portable version's man-page:

 ```
 --- ssh/sshd_config.5	2024-06-24 06:59:39.000000000 +0000
 +++ openssh-9.8p1/sshd_config.5	2024-07-01 04:36:28.000000000 +0000
 @@ -205,10 +205,9 @@
   For keyboard interactive authentication it is also possible to
   restrict authentication to a specific device by appending a
   colon followed by the device identifier
 -.Cm bsdauth ,
 -.Cm pam ,
 +.Cm bsdauth
   or
 -.Cm skey ,
 +.Cm pam .
   depending on the server configuration.
   For example,
   .Qq keyboard-interactive:bsdauth
 @@ -1308,6 +1307,7 @@
   .Cm LogLevel ,
   .Cm MaxAuthTries ,
   .Cm MaxSessions ,
 +.Cm PAMServiceName ,
   .Cm PasswordAuthentication ,
   .Cm PermitEmptyPasswords ,
   .Cm PermitListen ,
 @@ -1374,10 +1374,17 @@
   key exchange methods.
   The default is
   .Pa /etc/moduli .
 +.It Cm PAMServiceName
 +Specifies the service name used for Pluggable Authentication Modules (PAM)
 +authentication, authorisation and session controls when
 +.Cm UsePAM
 +is enabled.
 +The default is
 +.Cm sshd .
   .It Cm PasswordAuthentication
   Specifies whether password authentication is allowed.
   The default is
 -.Cm yes .
 +.Cm sshd .
   .It Cm PermitEmptyPasswords
   When password authentication is allowed, it specifies whether the
   server allows login to accounts with empty password strings.
 @@ -1982,6 +1989,30 @@
   .Cm Match
   .Cm Host
   directives.
 +.It Cm UsePAM
 +Enables the Pluggable Authentication Module interface.
 +If set to
 +.Cm yes
 +this will enable PAM authentication using
 +.Cm KbdInteractiveAuthentication
 +and
 +.Cm PasswordAuthentication
 +in addition to PAM account and session module processing for all
 +authentication types.
 +.Pp
 +Because PAM keyboard-interactive authentication usually serves an equivalent
 +role to password authentication, you should disable either
 +.Cm PasswordAuthentication
 +or
 +.Cm KbdInteractiveAuthentication .
 +.Pp
 +If
 +.Cm UsePAM
 +is enabled, you will not be able to run
 +.Xr sshd 8
 +as a non-root user.
 +The default is
 +.Cm no .
   .It Cm VersionAddendum
   Optionally specifies additional text to append to the SSH protocol banner
   sent by the server upon connection.
 ```

 -RVP

From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Sun, 21 Jul 2024 16:18:06 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Sun Jul 21 20:18:06 UTC 2024

 Modified Files:
 	src/crypto/external/bsd/openssh/dist: sshd_config.5

 Log Message:
 PR/58412: RVP: Add more info from the portable man page


 To generate a diff of this commit:
 cvs rdiff -u -r1.44 -r1.45 src/crypto/external/bsd/openssh/dist/sshd_config.5

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Tue, 08 Oct 2024 22:00:42 +0000
State-Changed-Why:
Was this fixed?  Does it need pullup?


From: Christos Zoulas <christos@zoulas.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org,
 netbsd-bugs@netbsd.org,
 "riastradh@netbsd.org" <riastradh@NetBSD.org>,
 "martin@netbsd.org" <martin@NetBSD.org>
Subject: Re: bin/58412 (ssh update breaks sshd)
Date: Tue, 8 Oct 2024 18:06:02 -0400

 --Apple-Mail=_103D55CE-C930-42AC-B1DE-6D24C22A006A
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain;
 	charset=utf-8

 It was fixed, we can pull it up; it is just the man page?

 christos

 > On Oct 8, 2024, at 6:00=E2=80=AFPM, riastradh@netbsd.org =
 <riastradh@NetBSD.org> wrote:
 >=20
 > Synopsis: ssh update breaks sshd
 >=20
 > State-Changed-From-To: open->feedback
 > State-Changed-By: riastradh@NetBSD.org
 > State-Changed-When: Tue, 08 Oct 2024 22:00:42 +0000
 > State-Changed-Why:
 > Was this fixed?  Does it need pullup?
 >=20
 >=20


 --Apple-Mail=_103D55CE-C930-42AC-B1DE-6D24C22A006A
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename=signature.asc
 Content-Type: application/pgp-signature;
 	name=signature.asc
 Content-Description: Message signed with OpenPGP

 -----BEGIN PGP SIGNATURE-----
 Comment: GPGTools - http://gpgtools.org

 iF0EARECAB0WIQS+BJlbqPkO0MDBdsRxESqxbLM7OgUCZwWsygAKCRBxESqxbLM7
 Oq1SAJ0ZQgVS73mcgPdero0VjI+pdOCs/wCgoj/aQsm8Ehgb1MeVi8+ESGGmJro=
 =K6Mp
 -----END PGP SIGNATURE-----

 --Apple-Mail=_103D55CE-C930-42AC-B1DE-6D24C22A006A--

From: Taylor R Campbell <riastradh@NetBSD.org>
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@NetBSD.org, gnats-admin@NetBSD.org,
	netbsd-bugs@NetBSD.org, martin@NetBSD.org
Subject: Re: bin/58412 (ssh update breaks sshd)
Date: Tue, 8 Oct 2024 22:08:03 +0000

 > Date: Tue, 8 Oct 2024 18:06:02 -0400
 > From: Christos Zoulas <christos@zoulas.com>
 > 
 > It was fixed, we can pull it up; it is just the man page?

 This looks like more than just man page:

 From: "Christos Zoulas" <christos@netbsd.org>
 To: gnats-bugs@gnats.NetBSD.org
 Cc: 
 Subject: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
 Date: Wed, 10 Jul 2024 10:42:01 -0400

  Module Name:	src
  Committed By:	christos
  Date:		Wed Jul 10 14:42:01 UTC 2024

  Modified Files:
  	src/crypto/external/bsd/openssh/dist: servconf.c

  Log Message:
  PR/58412: Martin Husemann: sync with the portable version, adds default
  PAMServiceName handling.


  To generate a diff of this commit:
  cvs rdiff -u -r1.46 -r1.47 src/crypto/external/bsd/openssh/dist/servconf.c

From: Christos Zoulas <christos@zoulas.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org,
 netbsd-bugs@netbsd.org,
 "martin@netbsd.org" <martin@NetBSD.org>
Subject: Re: bin/58412 (ssh update breaks sshd)
Date: Tue, 8 Oct 2024 19:40:09 -0400

 --Apple-Mail=_E964EEF2-038B-44C4-80CB-2E9135514979
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain;
 	charset=utf-8

 New ssh is only in HEAD.

 christos

 > On Oct 8, 2024, at 6:10=E2=80=AFPM, Taylor R Campbell via gnats =
 <gnats-admin@NetBSD.org> wrote:
 >=20
 > The following reply was made to PR bin/58412; it has been noted by =
 GNATS.
 >=20
 > From: Taylor R Campbell <riastradh@NetBSD.org>
 > To: Christos Zoulas <christos@zoulas.com>
 > Cc: gnats-bugs@NetBSD.org, gnats-admin@NetBSD.org,
 > 	netbsd-bugs@NetBSD.org, martin@NetBSD.org
 > Subject: Re: bin/58412 (ssh update breaks sshd)
 > Date: Tue, 8 Oct 2024 22:08:03 +0000
 >=20
 >> Date: Tue, 8 Oct 2024 18:06:02 -0400
 >> From: Christos Zoulas <christos@zoulas.com>
 >>=20
 >> It was fixed, we can pull it up; it is just the man page?
 >=20
 > This looks like more than just man page:
 >=20
 > From: "Christos Zoulas" <christos@netbsd.org>
 > To: gnats-bugs@gnats.NetBSD.org
 > Cc:=20
 > Subject: PR/58412 CVS commit: src/crypto/external/bsd/openssh/dist
 > Date: Wed, 10 Jul 2024 10:42:01 -0400
 >=20
 >  Module Name:	src
 >  Committed By:	christos
 >  Date:		Wed Jul 10 14:42:01 UTC 2024
 >=20
 >  Modified Files:
 >  	src/crypto/external/bsd/openssh/dist: servconf.c
 >=20
 >  Log Message:
 >  PR/58412: Martin Husemann: sync with the portable version, adds =
 default
 >  PAMServiceName handling.
 >=20
 >=20
 >  To generate a diff of this commit:
 >  cvs rdiff -u -r1.46 -r1.47 =
 src/crypto/external/bsd/openssh/dist/servconf.c
 >=20


 --Apple-Mail=_E964EEF2-038B-44C4-80CB-2E9135514979
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename=signature.asc
 Content-Type: application/pgp-signature;
 	name=signature.asc
 Content-Description: Message signed with OpenPGP

 -----BEGIN PGP SIGNATURE-----
 Comment: GPGTools - http://gpgtools.org

 iF0EARECAB0WIQS+BJlbqPkO0MDBdsRxESqxbLM7OgUCZwXC2gAKCRBxESqxbLM7
 OjVVAKCDTZ2ZMATVQrdcnbMRmyoxQzlU3gCfSCFJcBmnDPJpERNd6M2f0UDwaa0=
 =ilD7
 -----END PGP SIGNATURE-----

 --Apple-Mail=_E964EEF2-038B-44C4-80CB-2E9135514979--

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.