Unable to break into a PAM module

Full Name nuncestbibendum@excite.com
Fri Jan 17 22:03:00 GMT 2020

     Well, I got it to work in the end. I would like to share what I did, in case it could be of use to someone.

     Just launching the SSH daemon from the debugger and setting breakpoints in the relevant PAM source code file won't usually work. This is because the SSH forks children processes, and gdb seems to unable to follow them properly. And, yes, I tried with the different 'set follow-*' commands in gdb.

  The following is what worked for me:

  1) Launch an instance of the SSH daemon, if necessary at some non-standard port:

    # <full-pathname>/sshd -p 8221

  2) Attempt a password-authenticated SSH connection to this daemon.

  3) When prompted for a password at the client, the SSH daemon will be blocking at the pam_sm_authenticate() function of the PAM module in charge
of the authentication.

  4) At the CLI in some terminal emulator issue the following command:

  $ ps awux | egrep sshd | egrep pam

The output from this should be similar to the following:

  root     20017  0.0  0.0 108312  1396 ?        S    14:03   0:00 sshd: <username> [pam]

where <username> is the username received from the client.

  5) Launch gdb:

  # gdb <full-pathname>/sshd

  6) At the gdb prompt issue the following command:

  (gdb) attach <process-id>

where <process-id> is the ID of the process that is doing the PAM stuff. In the example above, this would be 20017.

  7) The command above will load symbols for all relevant shared libraries. At this point, we can set a breakpoint somewhere at the target PAM module's
pam_sm_authenticate() function - e.g.:

  (gdb) b pam_my_module.c: 1121

  8) At the gdb prompt press execute 'continue'.

  9) At the client side, type in the password. This will cause gdb to break at the line specified.

  Bear in mind that, for this to work, the breakpoint has to be set in the PAM source code's pam_sm_authenticate() function  _after_ it prompts the
client for a password - otherwise, gdb will of course not be able to break where told. If one wants to step through the pam_sm_authenticate() code
from the top, one should insert a line like

  sleep(60) ;

at the very start of this function. This will afford us 60 seconds to accomplish the nine steps above, which should be enough to set a breakpoint anywhere after the sleep() invocation.

  Finally, stepping through the PAM code will be far easier if the target PAM module has been compiled without optimizations.

More information about the Gdb mailing list