Running sshd with Privilege Seperation drops connection on password change

Darren Tucker

2015-12-16 23:09:16 UTC

Hi Darren/Damien,
Sorry for responding so late. Still hope we can get this sorted out.
Yes I am indeed using PAM for ssh authentication and disabling priv seperation is a no-go for us since it opens up a security loophole.
From what I can see in ptree and auth logs, when the child passwd process returns with SIGCHLD, the parent sshd process terminates.

Despite being asked for them earlier, you still have not provided the
full debug logs, which would tell, amongst other things, what version
of OpenSSH this is. That said...

[...]

Dec 16 22:22:13 knasim-ubuntu1 sshd[8623]: debug1: SELinux support disabled

I know of no version of OpenSSH supplied by us that has that message,
so I suspect you are using a modified version.

Dec 16 22:22:13 knasim-ubuntu1 sshd[8569]: debug3: PAM: sshpam_passwd_conv called with 1 messages

[...]

Dec 16 22:22:24 knasim-ubuntu1 passwd[8624]: pam_unix(passwd:chauthtok): password changed for nasim

This is working exactly as I described in option #2 earlier: password
authentication followed by execing /bin/passwd.

Your other option is what I described in #1: Disable
PasswordAuthentication in sshd_config and use
ChallengeResponseAuthentication/KbdInteractiveAuthentication.

Dec 16 22:22:24 knasim-ubuntu1 sshd[8623]: debug1: Received SIGCHLD.

[...]

Let me know what you guys think.

I think it is working as intended.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.