A customer called in complaining that when he logs into an Irix system using ssh and the irix system runs any flavor of sshd, that who/finger type utilities do not see his login, thus preventing himself as well as others to see who is logged in. The customer was using different levels of Irix and the latest openssh he used was 3.4p1. The kicker here is that he had the "UseLogin" feature turned on, i.e. via the sshd_config file. I guess this causes a double login, i.e. the password is asked for twice in order to create some type of AFS token. Anyway, not using this feature, the utmp/utmpx records get created correctly but when the feature is on, the utmp/utmpx records do not get updated correctly. I did some testing and found the following. sshd via session.c and loginrec.c do all the login prep work as well are responsible to update the utmp/utmpx accounting files. Based on what sshd writes into the utmp/utmpx records, Irix's login/scheme code will update it with some other info. However, since the records were not updated properly by sshd, login/scheme basically ignores updating the records. I'll explain why below. -in the utmp/utmpx records, there is field, ut_type that records what state the record/user is in, i.e. #define EMPTY 0 #define RUN_LVL 1 #define BOOT_TIME 2 #define OLD_TIME 3 #define NEW_TIME 4 #define INIT_PROCESS 5 /* Process spawned by "init" */ #define LOGIN_PROCESS 6 /* A "getty" process waiting for login */ #define USER_PROCESS 7 /* A user process */ #define DEAD_PROCESS 8 #define ACCOUNTING 9 sshd is supposed to put the records, both utmp and utmpx, into the USER_PROCESS state. In the case where you do not use the "UseLogin yes", only one login/passwd is issued, it works properly, i.e. sshd places the record(s) into USER_PROCESS state and login/scheme sees that they are valid and updates the record(s). Utilities like who/finger/last work properly. In the case where you do use "UseLogin yes", which causes sshd to login twice, session.c uses different logic where it does not call the proper routines in loginrec.c to update the utmp/utmpx records with the proper state, i.e. it does not update the records to USER_PROCESS state. In fact, it does not touch this field, i.e. they are 0 or maybe set to DEAD_PROCESS but for sure it does not set the field to USER_PROCESS. Now when Irix's login/scheme sees these records and does not find the state to be either USER_PROCESS or INIT_PROCESS, it does not update some of the other fields.....but no big deal. The utilities like who/finger/last only look at ut_type to see if the user is active but if they do not see USER_PROCESS or INIT_PROCESS, then they will ignore the entrys.
Someone with regular access to Irix is going to need to fix this, marking as help-wanted.
Created attachment 2590 [details] skip record_login in privsep when UseLogin is active There is actually a bug here: if UseLogin is set, then we would automatically call record_login() in the monitor. session.c would skip do_login()->record_login() for the UseLogin case, but the monitor doesn't.
Comment on attachment 2590 [details] skip record_login in privsep when UseLogin is active >+ if (!options.use_login) >+ return; >+ Err, that's going to skip the login recording when UseLogin is INactive.
Created attachment 2591 [details] less wrong Apparently I fail at logic; invert test
fix committed - this will be in openssh-6.9
Close all resolved bugs after 7.3p1 release