fix state confusion between PAM and privsep code

djmdjm · djmdjm · commit bdaf65ae51d6 · 2026-03-29T16:24:59.000+11:00
Commits b9a6dd4 and df2b281 introduced a potential desynchronisation between the PAM code and the sshd-session monitor that could result in authentication bypass if the unprivileged sshd-auth process had been compromised. Reported by Ben Edelman of NIST. Only git HEAD is affected, these changes have not yet been included in an OpenSSH release.
diff --git a/auth-pam.c b/auth-pam.c
@@ -1015,6 +1015,14 @@ sshpam_free_ctx(void *ctxtp)
 	 */
 }
 
+int
+sshpam_priv_kbdint_authdone(void *ctxtp)
+{
+	struct pam_ctxt *ctxt = ctxtp;
+
+	return ctxt->pam_done == SshPamAuthenticated;
+}
+
 KbdintDevice sshpam_device = {
 	"pam",
 	sshpam_init_ctx,
diff --git a/auth-pam.h b/auth-pam.h
@@ -42,5 +42,6 @@ int sshpam_auth_passwd(Authctxt *, const char *);
 int sshpam_get_maxtries_reached(void);
 void sshpam_set_maxtries_reached(int);
 int is_pam_session_open(void);
+int sshpam_priv_kbdint_authdone(void *ctxtp);
 
 #endif /* USE_PAM */
diff --git a/monitor.c b/monitor.c
@@ -1204,7 +1204,7 @@ mm_answer_pam_query(struct ssh *ssh, int sock, struct sshbuf *m)
 		fatal_f("no context");
 	ret = (sshpam_device.query)(sshpam_ctxt, &name, &info,
 	    &num, &prompts, &echo_on);
-	if (ret == 0 && num == 0)
+	if (ret == 0 && num == 0 && sshpam_priv_kbdint_authdone(sshpam_ctxt))
 		sshpam_authok = sshpam_ctxt;
 	if (num > 1 || name == NULL || info == NULL)
 		fatal("sshpam_device.query failed");
