Ubuntu
openssh package

sshd hardcodes SSHD_PAM_SERVICE

Bug #189183 reported by Tore Anderson
2
Affects Status Importance Assigned to Milestone
openssh (Debian)
Fix Released
Unknown
openssh (Ubuntu)
Fix Released
Medium
Colin Watson

Bug Description

Line 99 of openssh-4.6p1/debian/rules:

$(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) $(PIE_CFLAGS) -g -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -std=gnu99 -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_EXTRAVERSION="\" $(SSH_EXTRAVERSION)\""'

From auth-pam.h:

#if !defined(SSHD_PAM_SERVICE)
# define SSHD_PAM_SERVICE __progname
#endif

This macro is then used in the pam_start() call in auth-pam.c. The results of this is that there is no way to have two separate sshd processes with different PAM configurations. You can specify different sshd_config-files, sure, but they end up using the same PAM config file no matter what. The expected behaviour is that if you symlink /usr/sbin/sshd-opie to /usr/sbin/sshd and start it using the sshd-opie symlink, it should be using /etc/pam.d/sshd-opie instead of the default.

It would be much better if the binary didn't hardcode this, or at least provided some way of overriding the PAM service name at run-time.

I think this bug stems from Debian. I know it's not unusual for Debian packages to have eccentric limitations and modifications added, but I hope it can be fixed in Ubuntu anyway.

Tore

Revision history for this message
Colin Watson (cjwatson) wrote :

You might like to be aware that the Debian maintainer and the main Ubuntu maintainer for openssh are the same person, namely me. Having a go at Debian in Ubuntu bug reports often does not get the response you might be looking for ...

This is Debian bug #255870. I've been meaning to fix it for a while, but the pain of moving conffiles around is such that something else has always ended up higher on my list.

Changed in openssh:
importance: Undecided → Medium
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in openssh:
status: Unknown → New
Revision history for this message
Tore Anderson (toreanderson) wrote : Re: [Bug 189183] Re: sshd hardcodes SSHD_PAM_SERVICE

* Colin Watson

> You might like to be aware that the Debian maintainer and the main
> Ubuntu maintainer for openssh are the same person, namely me. Having a
> go at Debian in Ubuntu bug reports often does not get the response you
> might be looking for ...

I was aware of that. No offence intended. I apologise if you felt that
way.

Red Hat, SuSE, and probably most other distros, are using the default
PAM config file location with no ill effects. This modification is
undisputedly eccentric to Debian (and by extension Ubuntu).

I could not think of any sound technical reason for making such a change
in the first place, and at the same time it's fairly obvious that it was
not an accident either. Whenever I stumble across «Debianisms» such as
this one they are usually due to some requirement in the Debian policy,
so I assumed that to be the case here too.

Since Ubuntu isn't bound to the Debian policy, I was hoping that the
Ubuntu packages could be changed back to the match the upstream default
and established practise of using /etc/pam.d/`basename $0` as the PAM
configuration file location.

Regards
--
Tore Anderson

Revision history for this message
Colin Watson (cjwatson) wrote :

OK, for the record, this isn't a question of Debian policy - it's just that the wrong response was taken to a very old bug and now it requires some work to clean up the mess. It can and should be fixed in both distributions.

Revision history for this message
Colin Watson (cjwatson) wrote :

openssh (1:4.7p1-4) unstable; urgency=low

  [ Caleb Case ]
  * Fix configure detection of getseuserbyname and
    get_default_context_with_level (closes: #465614, LP: #188136).

  [ Colin Watson ]
  * Include the autogenerated debian/copyright in the source package.
  * Move /etc/pam.d/ssh to /etc/pam.d/sshd, allowing us to stop defining
    SSHD_PAM_SERVICE (closes: #255870).

 -- Colin Watson <email address hidden> Wed, 13 Feb 2008 18:18:52 +0000

Changed in openssh:
assignee: nobody → kamion
status: Triaged → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in openssh:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.