I found a bug in pam_tty_audit.
When Using the pam_tty_audit with other pam modules(ex, pam_ldap), it failed in pam_open_session.
It was triggared by use uninitialized variable in pam_tty_audit.c::pam_open_session.
* Reproduction method
1. Install libpam-ldap.
2. Add the following to the end of /etc/pam.d/common-sessions
--------
session required pam_tty_audit.so enable=* open_only
--------
3. When logging in with ssh etc., pam_tty_audit will fail and login fails
* Logs (on Ubuntu14.04)
-- auth.log --
May 18 14:47:03 vm sshd[2272]: Accepted publickey for test from 10.99.0.1 port 51398 ssh2: RSA 8f:39:1c:3a:f4:9d:ca:99:67:fc:e3:fd:1e:0c:5b:a8
May 18 14:47:03 vm sshd[2272]: pam_unix(sshd:session): session opened for user test by (uid=0)
May 18 14:47:03 vm sshd[2272]: pam_tty_audit(sshd:session): error setting current audit status: Invalid argument
May 18 14:47:03 vm sshd[2272]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
May 18 14:47:03 vm sshd[2297]: Received disconnect from 10.99.0.1: 11: disconnected by user
-- syslog --
May 18 14:47:03 vm audispd: node=vm type=USER_ACCT msg=audit(1463550423.399:58): pid=2272 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'
May 18 14:47:03 vm audispd: node=vm type=CRED_ACQ msg=audit(1463550423.403:59): pid=2272 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'
May 18 14:47:03 vm audispd: node=vm type=LOGIN msg=audit(1463550423.403:60): pid=2272 uid=0 old-auid=4294967295 auid=20299 old-ses=4294967295 ses=3 res=1
May 18 14:47:03 vm audispd: node=vm type=CONFIG_CHANGE msg=audit(1463550423.403:61): pid=2272 uid=0 auid=20299 ses=3 op=tty_set old-enabled=0 new-enabled=1 old-log_passwd=0 new-log_passwd=32743 res=0
May 18 14:47:03 vm audispd: node=vm type=USER_START msg=audit(1463550423.447:62): pid=2272 uid=0 auid=20299 ses=3 msg='op=PAM:session_open acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=failed'
May 18 14:47:03 vm audispd: node=vm type=CRED_ACQ msg=audit(1463550423.447:63): pid=2297 uid=0 auid=20299 ses=3 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'
May 18 14:47:03 vm audispd: node=vm type=CRED_DISP msg=audit(1463550423.451:64): pid=2272 uid=0 auid=20299 ses=3 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'
Dear Maintainer.
I found a bug in pam_tty_audit. audit.c: :pam_open_ session.
When Using the pam_tty_audit with other pam modules(ex, pam_ldap), it failed in pam_open_session.
It was triggared by use uninitialized variable in pam_tty_
* Enviroments 3.16.0- 71-generic 3.16.0- 71.92~14. 04.1 modules: amd64 1.1.8-1ubuntu2.2
Ubuntu 14.04.4 LTS
linux-image-
libpam-ldap:amd64 184-8.5ubuntu3
libpam-
Ubuntu 16.04.2 TLS 4.4.0-62- generic 4.4.0-62.83 modules: amd64 1.1.8-3.2ubuntu2
linux-image-
libpam-ldap:amd64 184-8.7ubuntu1
libpam-
* Reproduction method d/common- sessions
1. Install libpam-ldap.
2. Add the following to the end of /etc/pam.
--------
session required pam_tty_audit.so enable=* open_only
--------
3. When logging in with ssh etc., pam_tty_audit will fail and login fails
* Solution /git.fedorahost ed.org/ cgit/linux- pam.git/ commit/ modules/ pam_tty_ audit/pam_ tty_audit. c?id=c5f829931a 22c65feffee1657 0efdae036524bee
apply upstream patch
https:/
* Logs (on Ubuntu14.04) 3a:f4:9d: ca:99:67: fc:e3:fd: 1e:0c:5b: a8 sshd:session) : session opened for user test by (uid=0) audit(sshd: session) : error setting current audit status: Invalid argument
-- auth.log --
May 18 14:47:03 vm sshd[2272]: Accepted publickey for test from 10.99.0.1 port 51398 ssh2: RSA 8f:39:1c:
May 18 14:47:03 vm sshd[2272]: pam_unix(
May 18 14:47:03 vm sshd[2272]: pam_tty_
May 18 14:47:03 vm sshd[2272]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
May 18 14:47:03 vm sshd[2297]: Received disconnect from 10.99.0.1: 11: disconnected by user
-- syslog -- 1463550423. 399:58) : pid=2272 uid=0 auid=4294967295 ses=4294967295 msg='op= PAM:accounting acct="test" exe="/usr/ sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success' 1463550423. 403:59) : pid=2272 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="test" exe="/usr/ sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success' 1463550423. 403:60) : pid=2272 uid=0 old-auid=4294967295 auid=20299 old-ses=4294967295 ses=3 res=1 1463550423. 403:61) : pid=2272 uid=0 auid=20299 ses=3 op=tty_set old-enabled=0 new-enabled=1 old-log_passwd=0 new-log_ passwd= 32743 res=0 1463550423. 447:62) : pid=2272 uid=0 auid=20299 ses=3 msg='op= PAM:session_ open acct="test" exe="/usr/ sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=failed' 1463550423. 447:63) : pid=2297 uid=0 auid=20299 ses=3 msg='op=PAM:setcred acct="test" exe="/usr/ sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success' 1463550423. 451:64) : pid=2272 uid=0 auid=20299 ses=3 msg='op=PAM:setcred acct="test" exe="/usr/ sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'
May 18 14:47:03 vm audispd: node=vm type=USER_ACCT msg=audit(
May 18 14:47:03 vm audispd: node=vm type=CRED_ACQ msg=audit(
May 18 14:47:03 vm audispd: node=vm type=LOGIN msg=audit(
May 18 14:47:03 vm audispd: node=vm type=CONFIG_CHANGE msg=audit(
May 18 14:47:03 vm audispd: node=vm type=USER_START msg=audit(
May 18 14:47:03 vm audispd: node=vm type=CRED_ACQ msg=audit(
May 18 14:47:03 vm audispd: node=vm type=CRED_DISP msg=audit(
Thanks regards.