From owner-freebsd-security@FreeBSD.ORG Mon Sep 2 17:36:58 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 495F2FB8 for ; Mon, 2 Sep 2013 17:36:58 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 095D62489 for ; Mon, 2 Sep 2013 17:36:57 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 1B25D471E; Mon, 2 Sep 2013 17:36:57 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id BF224293CD; Mon, 2 Sep 2013 19:36:57 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos References: <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> Date: Mon, 02 Sep 2013 19:36:57 +0200 In-Reply-To: <20130830131455.GW3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Fri, 30 Aug 2013 17:14:55 +0400") Message-ID: <8661uj9lc6.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Sep 2013 17:36:58 -0000 Slawa Olhovchenkov writes: > Hmmm, now I try to compile sshd with UNSUPPORTED_POSIX_THREADS_HACK and > it works (/tmp/krb5cc_NNNN created, kerberosied login to other host > working w/o entering password).=20 So they didn't break the thread version? You shouldn't use it, though, as the rest of OpenSSH is not thread-safe. The threads are only partially synchronized, and service modules may for instance call getpwent() and thereby clobber global state which OpenSSH relies on. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Sep 2 18:15:49 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 8A00BE4 for ; Mon, 2 Sep 2013 18:15:49 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id 46AE327FD for ; Mon, 2 Sep 2013 18:15:49 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VGYhG-0008HJ-69; Mon, 02 Sep 2013 22:17:54 +0400 Date: Mon, 2 Sep 2013 22:17:54 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130902181754.GD3796@zxy.spb.ru> References: <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8661uj9lc6.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Sep 2013 18:15:49 -0000 On Mon, Sep 02, 2013 at 07:36:57PM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov writes: > > Hmmm, now I try to compile sshd with UNSUPPORTED_POSIX_THREADS_HACK and > > it works (/tmp/krb5cc_NNNN created, kerberosied login to other host > > working w/o entering password). > > So they didn't break the thread version? You shouldn't use it, though, > as the rest of OpenSSH is not thread-safe. The threads are only > partially synchronized, and service modules may for instance call > getpwent() and thereby clobber global state which OpenSSH relies on. As I understand interaction between sshd and pam subsystem occur next: 1. sshd need pam auth 2. call sshpam_init_ctx 3. sshpam_init_ctx do sshpam_init 4. sshpam_init_ctx for non-blocking processing do pthread_create(sshpam_thread) (emulated by fork). 5. in child process sshpam_thread do pam_authenticate and store cred. 6. child process terminated by sshpam_free_ctx 7. sshd do pam_setcred for context from [2] (and lost cred in child process). 8. sshd fork less-priveleged child 9. child terminated 10. pam session closed. If in this scenario on step 4 insted fork do pthread_create we don't lost stored credentials and (I think) have full-synchronized thread (new thred only work by request from parent and only for short time). W/o thread we need constanly run 3 sshd: unpriveleged, priveleged worked witch pam and master process. From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 07:51:35 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D871ED1C for ; Tue, 3 Sep 2013 07:51:35 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 986FB2F11 for ; Tue, 3 Sep 2013 07:51:35 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id B6E124164; Tue, 3 Sep 2013 07:51:34 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id B452433992; Tue, 3 Sep 2013 09:51:35 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos References: <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> Date: Tue, 03 Sep 2013 09:51:35 +0200 In-Reply-To: <20130902181754.GD3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Mon, 2 Sep 2013 22:17:54 +0400") Message-ID: <867geywdfc.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 07:51:35 -0000 Slawa Olhovchenkov writes: > If in this scenario on step 4 insted fork do pthread_create we don't > lost stored credentials and (I think) have full-synchronized thread > (new thred only work by request from parent and only for short time). It's not quite that simple. When a service module calls a conversation function, the event loop resumes until it receives an answer from the client. This is why PAM needs to run in a separate thread or process. OpenSSH was not designed to be multi-threaded, and we can't be sure there won't be conflicts. Another problem is that libpam loads shared objects (the modules) when it runs, which may result in conflicts as well - espcially with pam_ssh(8). The proper solution would be an identification and authentication daemon with a well-designed RPC interface and mechanisms for transferring environment variables, descriptors and credentials from the daemon to the application (in this case, sshd). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 08:30:57 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 343FDCEB for ; Tue, 3 Sep 2013 08:30:57 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id E572023B0 for ; Tue, 3 Sep 2013 08:30:56 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VGm2n-000F4F-79; Tue, 03 Sep 2013 12:33:01 +0400 Date: Tue, 3 Sep 2013 12:33:01 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130903083301.GF3796@zxy.spb.ru> References: <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <867geywdfc.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 08:30:57 -0000 On Tue, Sep 03, 2013 at 09:51:35AM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov writes: > > If in this scenario on step 4 insted fork do pthread_create we don't > > lost stored credentials and (I think) have full-synchronized thread > > (new thred only work by request from parent and only for short time). > > It's not quite that simple. When a service module calls a conversation > function, the event loop resumes until it receives an answer from the > client. This is why PAM needs to run in a separate thread or process. > OpenSSH was not designed to be multi-threaded, and we can't be sure > there won't be conflicts. We can be sure if separate thread don't access same data as other sshd, or while other sshd wait answer from separate thread. I don't see parallel execution in separate thread. > Another problem is that libpam loads shared objects (the modules) when > it runs, which may result in conflicts as well - espcially with > pam_ssh(8). Can you explain this? How conflicts and what scenario use pam_ssh in sshd? > The proper solution would be an identification and authentication daemon > with a well-designed RPC interface and mechanisms for transferring > environment variables, descriptors and credentials from the daemon to > the application (in this case, sshd). I think this is impossible, because credentials for pam_krb5 is simple pointer to internal blob's with unknown size, structure and links with other elements. From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 09:31:09 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id AD12393D for ; Tue, 3 Sep 2013 09:31:09 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 6D07C2787 for ; Tue, 3 Sep 2013 09:31:09 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 6FE364266; Tue, 3 Sep 2013 09:31:08 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 7474E339AF; Tue, 3 Sep 2013 11:31:09 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos References: <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> Date: Tue, 03 Sep 2013 11:31:09 +0200 In-Reply-To: <20130903083301.GF3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Tue, 3 Sep 2013 12:33:01 +0400") Message-ID: <86y57euu8y.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 09:31:09 -0000 Slawa Olhovchenkov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > The proper solution would be an identification and authentication daemon > > with a well-designed RPC interface and mechanisms for transferring > > environment variables, descriptors and credentials from the daemon to > > the application (in this case, sshd). > I think this is impossible, because credentials for pam_krb5 is simple > pointer to internal blob's with unknown size, structure and links with > other elements. When I spoke of passing credentials, I meant process credentials, not the cached Kerberos credentials - which the application does not need anyway. See SCM_CREDS in recv(2) for further information. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 09:35:52 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id C6209B4B for ; Tue, 3 Sep 2013 09:35:52 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id 81AD32834 for ; Tue, 3 Sep 2013 09:35:52 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VGn3d-000Fbd-0o; Tue, 03 Sep 2013 13:37:57 +0400 Date: Tue, 3 Sep 2013 13:37:57 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130903093756.GG3796@zxy.spb.ru> References: <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86y57euu8y.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 09:35:52 -0000 On Tue, Sep 03, 2013 at 11:31:09AM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov writes: > > Dag-Erling Sm??rgrav writes: > > > The proper solution would be an identification and authentication daemon > > > with a well-designed RPC interface and mechanisms for transferring > > > environment variables, descriptors and credentials from the daemon to > > > the application (in this case, sshd). > > I think this is impossible, because credentials for pam_krb5 is simple > > pointer to internal blob's with unknown size, structure and links with > > other elements. > > When I spoke of passing credentials, I meant process credentials, not > the cached Kerberos credentials - which the application does not need > anyway. See SCM_CREDS in recv(2) for further information. And how in this case can be resolved situation with PAM credentials (Kerberos credentials in may case)? From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 09:39:18 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7D73CE10 for ; Tue, 3 Sep 2013 09:39:18 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 3F08A28CC for ; Tue, 3 Sep 2013 09:39:18 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 64B174293; Tue, 3 Sep 2013 09:39:17 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 672F8339C4; Tue, 3 Sep 2013 11:38:48 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos References: <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> Date: Tue, 03 Sep 2013 11:38:48 +0200 In-Reply-To: <20130903093756.GG3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Tue, 3 Sep 2013 13:37:57 +0400") Message-ID: <86ppsqutw7.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 09:39:18 -0000 Slawa Olhovchenkov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > When I spoke of passing credentials, I meant process credentials, not > > the cached Kerberos credentials - which the application does not need > > anyway. See SCM_CREDS in recv(2) for further information. > And how in this case can be resolved situation with PAM credentials > (Kerberos credentials in may case)? The application does not need them. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 09:51:11 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id BCA834AE for ; Tue, 3 Sep 2013 09:51:11 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id 79AE82B40 for ; Tue, 3 Sep 2013 09:51:11 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VGnIS-000FkG-8c; Tue, 03 Sep 2013 13:53:16 +0400 Date: Tue, 3 Sep 2013 13:53:16 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130903095316.GH3796@zxy.spb.ru> References: <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86ppsqutw7.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 09:51:11 -0000 On Tue, Sep 03, 2013 at 11:38:48AM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov writes: > > Dag-Erling Sm??rgrav writes: > > > When I spoke of passing credentials, I meant process credentials, not > > > the cached Kerberos credentials - which the application does not need > > > anyway. See SCM_CREDS in recv(2) for further information. > > And how in this case can be resolved situation with PAM credentials > > (Kerberos credentials in may case)? > > The application does not need them. I need them. I need single sign-on, I need enter password only once, at login time and use this credentials to login to other host and use Kerberosed NFS w/o entering password. From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 10:26:43 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 0AA7D5B2 for ; Tue, 3 Sep 2013 10:26:43 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id BBF2C21E4 for ; Tue, 3 Sep 2013 10:26:42 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:61fd:95c3:8111:539a]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 2D2F74AC2D; Tue, 3 Sep 2013 14:26:40 +0400 (MSK) Date: Tue, 3 Sep 2013 14:26:37 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <998724759.20130903142637@serebryakov.spb.ru> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <86ppsqutw7.fsf@nine.des.no> References: <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 10:26:43 -0000 Hello, Dag-Erling. You wrote 3 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., = 13:38:48: >> And how in this case can be resolved situation with PAM credentials >> (Kerberos credentials in may case)? DES> The application does not need them. They are written to disk with pam_open_session() and this call should be called by sshd, not some "authorization daemon", if I understand situation right. Or don't I? --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 10:37:19 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3C29D9D6; Tue, 3 Sep 2013 10:37:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id EAEAB235B; Tue, 3 Sep 2013 10:37:18 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VGo14-000G6F-4y; Tue, 03 Sep 2013 14:39:22 +0400 Date: Tue, 3 Sep 2013 14:39:22 +0400 From: Slawa Olhovchenkov To: Lev Serebryakov Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130903103922.GI3796@zxy.spb.ru> References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <998724759.20130903142637@serebryakov.spb.ru> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: Dag-Erling Sm??rgrav , freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 10:37:19 -0000 On Tue, Sep 03, 2013 at 02:26:37PM +0400, Lev Serebryakov wrote: > Hello, Dag-Erling. > You wrote 3 сентября 2013 г., 13:38:48: > > >> And how in this case can be resolved situation with PAM credentials > >> (Kerberos credentials in may case)? > DES> The application does not need them. > They are written to disk with pam_open_session() and this call should be > called by sshd, not some "authorization daemon", if I understand situation > right. Or don't I? Written to disk with pam_setcred(), not pam_open_session(). And yes, by sshd, after drop priveleges. And set KRB5CCNAME. "authorization daemon" can't be set environment in other process. From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 10:50:39 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id A86F911D for ; Tue, 3 Sep 2013 10:50:39 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6B8E225FA for ; Tue, 3 Sep 2013 10:50:39 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:61fd:95c3:8111:539a]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id AACDE4AC2D; Tue, 3 Sep 2013 14:50:37 +0400 (MSK) Date: Tue, 3 Sep 2013 14:50:34 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <6110257289.20130903145034@serebryakov.spb.ru> To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <20130903103922.GI3796@zxy.spb.ru> References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: quoted-printable Cc: Dag-Erling Sm??rgrav , freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 10:50:39 -0000 Hello, Slawa. You wrote 3 =D3=C5=CE=D4=D1=C2=D2=D1 2013 =C7., 14:39:22: >> >> And how in this case can be resolved situation with PAM credentials >> >> (Kerberos credentials in may case)? >> DES> The application does not need them. >> They are written to disk with pam_open_session() and this call should be >> called by sshd, not some "authorization daemon", if I understand situati= on >> right. Or don't I? SO> Written to disk with pam_setcred(), not pam_open_session(). And yes, SO> by sshd, after drop priveleges. And set KRB5CCNAME. "authorization SO> daemon" can't be set environment in other process. des@ suggests to have ability to pass env variables from authorization daemon, but anyway, pam_setcred() should be called by shell process (or its parent), and not any process in system, am I right? --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 11:27:04 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id AD681BB4 for ; Tue, 3 Sep 2013 11:27:04 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 6E4972B15 for ; Tue, 3 Sep 2013 11:27:03 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 28DE743D2; Tue, 3 Sep 2013 11:27:03 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 30408339EA; Tue, 3 Sep 2013 13:27:04 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos References: <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> Date: Tue, 03 Sep 2013 13:27:04 +0200 In-Reply-To: <20130903095316.GH3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Tue, 3 Sep 2013 13:53:16 +0400") Message-ID: <86li3euovr.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 11:27:04 -0000 Slawa Olhovchenkov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Slawa Olhovchenkov writes: > > > And how in this case can be resolved situation with PAM credentials > > > (Kerberos credentials in may case)? > > The application does not need them. > I need them. I need single sign-on, I need enter password only once, > at login time and use this credentials to login to other host and use > Kerberosed NFS w/o entering password. The application does not need pam_krb5's temporary credential cache. It is only used internally. Single sign-on is implemented by storing your credentials in a *permanent* credential cache (either a file or KCM) which is independent of the PAM session and the application. The location of the permanent credential cache is exported to the application through the KRB5CCNAME environment variable. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 11:31:13 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 8FC19E7E; Tue, 3 Sep 2013 11:31:13 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4D7702BFF; Tue, 3 Sep 2013 11:31:13 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 7AE6543F4; Tue, 3 Sep 2013 11:31:12 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 87FC4339EF; Tue, 3 Sep 2013 13:30:43 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Lev Serebryakov Subject: Re: OpenSSH, PAM and kerberos References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> Date: Tue, 03 Sep 2013 13:30:43 +0200 In-Reply-To: <6110257289.20130903145034@serebryakov.spb.ru> (Lev Serebryakov's message of "Tue, 3 Sep 2013 14:50:34 +0400") Message-ID: <86d2oquopo.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 11:31:13 -0000 Lev Serebryakov writes: > des@ suggests to have ability to pass env variables from authorization > daemon, but anyway, pam_setcred() should be called by shell process > (or its parent), and not any process in system, am I right? Everything pam_setcred() does can be done in a separate process, and the result returned to the application using sendmsg(). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 11:48:47 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id CF2E19E6 for ; Tue, 3 Sep 2013 11:48:47 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id 8BB022ED4 for ; Tue, 3 Sep 2013 11:48:47 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VGp8F-000Gpv-0V; Tue, 03 Sep 2013 15:50:51 +0400 Date: Tue, 3 Sep 2013 15:50:50 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130903115050.GJ3796@zxy.spb.ru> References: <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86li3euovr.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 11:48:47 -0000 On Tue, Sep 03, 2013 at 01:27:04PM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov writes: > > Dag-Erling Sm??rgrav writes: > > > Slawa Olhovchenkov writes: > > > > And how in this case can be resolved situation with PAM credentials > > > > (Kerberos credentials in may case)? > > > The application does not need them. > > I need them. I need single sign-on, I need enter password only once, > > at login time and use this credentials to login to other host and use > > Kerberosed NFS w/o entering password. > > The application does not need pam_krb5's temporary credential cache. It > is only used internally. Single sign-on is implemented by storing your > credentials in a *permanent* credential cache (either a file or KCM) > which is independent of the PAM session and the application. The > location of the permanent credential cache is exported to the > application through the KRB5CCNAME environment variable. Yes, but content of credential cache got at time pam_authenticate(). And this content (size, structure and links to other objects) invisible outside PAM. Application (and authenticate daemon) can't be extract this for transfer and (in general case) can't be know about necessary acts (write to file? what file? set enviroment?) -- all this activity do internals by PAM modules -- one bu pam_krb5, other by pam_opie and pam_unix. Also, authenticate daemon (in case authenticate daemon call pam_setcred) can't be know what need to transfer (chaneged UID? new enviroment? deleted enviroment?) From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 11:49:14 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D5818AC6 for ; Tue, 3 Sep 2013 11:49:14 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 97DE02EE8 for ; Tue, 3 Sep 2013 11:49:14 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:61fd:95c3:8111:539a]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 8FE344AC31; Tue, 3 Sep 2013 15:49:11 +0400 (MSK) Date: Tue, 3 Sep 2013 15:49:08 +0400 From: Lev Serebryakov Organization: FreeBSD Project X-Priority: 3 (Normal) Message-ID: <226539732.20130903154908@serebryakov.spb.ru> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <86d2oquopo.fsf@nine.des.no> References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: lev@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 11:49:14 -0000 Hello, Dag-Erling. You wrote 3 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., = 15:30:43: >> des@ suggests to have ability to pass env variables from authorization >> daemon, but anyway, pam_setcred() should be called by shell process >> (or its parent), and not any process in system, am I right? DES> Everything pam_setcred() does can be done in a separate process, and t= he DES> result returned to the application using sendmsg(). Why do we need separate daemon for it? Why it could not be built-in to sshd itself? One more daemon -- one more point of failure... --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 13:22:57 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 677F169D; Tue, 3 Sep 2013 13:22:57 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 274942A58; Tue, 3 Sep 2013 13:22:56 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 0B514456D; Tue, 3 Sep 2013 13:22:56 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 1BA7733A18; Tue, 3 Sep 2013 15:22:57 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: lev@FreeBSD.org Subject: Re: OpenSSH, PAM and kerberos References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> Date: Tue, 03 Sep 2013 15:22:56 +0200 In-Reply-To: <226539732.20130903154908@serebryakov.spb.ru> (Lev Serebryakov's message of "Tue, 3 Sep 2013 15:49:08 +0400") Message-ID: <8661uiujin.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 13:22:57 -0000 Lev Serebryakov writes: > Why do we need separate daemon for it? Why it could not be built-in > to sshd itself? sshd is just one of many applications in the system. > One more daemon -- one more point of failure... Or you can look at it the other way around: less copy-pasting between applications and far fewer chances to screw it up. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 13:24:17 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id EC6CD81A for ; Tue, 3 Sep 2013 13:24:17 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id AB9802AAE for ; Tue, 3 Sep 2013 13:24:17 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 102064578; Tue, 3 Sep 2013 13:24:17 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 2100E33A1A; Tue, 3 Sep 2013 15:23:48 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos References: <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> Date: Tue, 03 Sep 2013 15:23:48 +0200 In-Reply-To: <20130903115050.GJ3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Tue, 3 Sep 2013 15:50:50 +0400") Message-ID: <864na2ujh7.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 13:24:18 -0000 Slawa Olhovchenkov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > The application does not need pam_krb5's temporary credential cache. It > > is only used internally. Single sign-on is implemented by storing your > > credentials in a *permanent* credential cache (either a file or KCM) > > which is independent of the PAM session and the application. The > > location of the permanent credential cache is exported to the > > application through the KRB5CCNAME environment variable. > Yes, but content of credential cache got at time pam_authenticate(). Did you read *anything* that I wrote? The pam_krb5 module obtains your credentials and stores them in a persistent cache which is *independent* of the module and of the application that called it. The *only* thing it needs to communicate to the application is the value of KRB5CCNAME. If this wasn't the case, pam_krb5 wouldn't work with *any* applications whatsoever, not just sshd. > Also, authenticate daemon (in case authenticate daemon call > pam_setcred) can't be know what need to transfer (chaneged UID? new > enviroment? deleted enviroment?) Actually, sshd already does most of this by farming PAM out to a child process. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 13:44:05 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 18A2B87F for ; Tue, 3 Sep 2013 13:44:05 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id C95F12D6B for ; Tue, 3 Sep 2013 13:44:04 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:61fd:95c3:8111:539a]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 9FCA14AC2D; Tue, 3 Sep 2013 17:44:02 +0400 (MSK) Date: Tue, 3 Sep 2013 17:43:59 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <1734535072.20130903174359@serebryakov.spb.ru> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <8661uiujin.fsf@nine.des.no> References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 13:44:05 -0000 Hello, Dag-Erling. You wrote 3 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., = 17:22:56: DES> sshd is just one of many applications in the system. Ooops. I think, have ONE daemon to provide ALL authentication is bad idea. It crashes. After that you could not login via console, sshd, telnet, whatever! Only one way -- reboot server via power button... Not good. >> One more daemon -- one more point of failure... DES> Or you can look at it the other way around: less copy-pasting between DES> applications and far fewer chances to screw it up. login(1) works. It means, that console and telnet works. ftpd(8) doesn't need such excessive session support (single login via ftp? Are you kidding?). So, only sshd(8) is broken. And change (dramatically) well-known programs (like login(1)) and introduce new subsystem to fix bug (it is really a bug) in sshd? I don't think it is sane way to do things. --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 13:46:25 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 4A1E3A97 for ; Tue, 3 Sep 2013 13:46:25 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 0D8EA2DB1 for ; Tue, 3 Sep 2013 13:46:25 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:61fd:95c3:8111:539a]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 2BFDA4AC2D; Tue, 3 Sep 2013 17:46:23 +0400 (MSK) Date: Tue, 3 Sep 2013 17:46:20 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <5010498171.20130903174620@serebryakov.spb.ru> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <864na2ujh7.fsf@nine.des.no> References: <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 13:46:25 -0000 Hello, Dag-Erling. You wrote 3 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., = 17:23:48: >> Also, authenticate daemon (in case authenticate daemon call >> pam_setcred) can't be know what need to transfer (chaneged UID? new >> enviroment? deleted enviroment?) DES> Actually, sshd already does most of this by farming PAM out to a child DES> process. And, IMHO, proper way to fix this bug is to fix it here, as "most of thing= s" is already done. --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 14:15:26 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 4F5F964E; Tue, 3 Sep 2013 14:15:26 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 0B3062F9A; Tue, 3 Sep 2013 14:15:25 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 4DCF14671; Tue, 3 Sep 2013 14:15:25 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 6466D33A2F; Tue, 3 Sep 2013 16:15:26 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Lev Serebryakov Subject: Re: OpenSSH, PAM and kerberos References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> Date: Tue, 03 Sep 2013 16:15:26 +0200 In-Reply-To: <1734535072.20130903174359@serebryakov.spb.ru> (Lev Serebryakov's message of "Tue, 3 Sep 2013 17:43:59 +0400") Message-ID: <86vc2it2ip.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 14:15:26 -0000 Lev Serebryakov writes: > login(1) works. It means, that console and telnet works. ftpd(8) doesn't > need such excessive session support (single login via ftp? Are you > kidding?). So, only sshd(8) is broken. And change (dramatically) well-kno= wn > programs (like login(1)) and introduce new subsystem to fix bug (it is > really a bug) in sshd? I don't think it is sane way to do things. We're not just talking about a bug in sshd. We're talking about a fundamentally broken paradigm which affects *all* applications. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 14:16:36 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 1C13C829; Tue, 3 Sep 2013 14:16:36 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id CFD7A2FBA; Tue, 3 Sep 2013 14:16:35 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 2454E4688; Tue, 3 Sep 2013 14:16:35 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 3AFD233A32; Tue, 3 Sep 2013 16:16:06 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Lev Serebryakov Subject: Re: OpenSSH, PAM and kerberos References: <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> <5010498171.20130903174620@serebryakov.spb.ru> Date: Tue, 03 Sep 2013 16:16:06 +0200 In-Reply-To: <5010498171.20130903174620@serebryakov.spb.ru> (Lev Serebryakov's message of "Tue, 3 Sep 2013 17:46:20 +0400") Message-ID: <86r4d6t2hl.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 14:16:36 -0000 Lev Serebryakov writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > > Actually, sshd already does most of this by farming PAM out to a > > child process. > And, IMHO, proper way to fix this bug is to fix it here, as "most of > things" is already done. Feel free to submit patches. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 14:20:00 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id EF0FFC3C for ; Tue, 3 Sep 2013 14:20:00 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id AAC7A207E for ; Tue, 3 Sep 2013 14:20:00 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VGrUb-000I9v-Je; Tue, 03 Sep 2013 18:22:05 +0400 Date: Tue, 3 Sep 2013 18:22:05 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130903142205.GL3796@zxy.spb.ru> References: <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <864na2ujh7.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 14:20:01 -0000 On Tue, Sep 03, 2013 at 03:23:48PM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov writes: > > Dag-Erling Sm??rgrav writes: > > > The application does not need pam_krb5's temporary credential cache. It > > > is only used internally. Single sign-on is implemented by storing your > > > credentials in a *permanent* credential cache (either a file or KCM) > > > which is independent of the PAM session and the application. The > > > location of the permanent credential cache is exported to the > > > application through the KRB5CCNAME environment variable. > > Yes, but content of credential cache got at time pam_authenticate(). > > Did you read *anything* that I wrote? I read. May be I bad writing, sorry for my english. > The pam_krb5 module obtains your credentials and stores them in a > persistent cache which is *independent* of the module and of the > application that called it. The *only* thing it needs to communicate to > the application is the value of KRB5CCNAME. If this wasn't the case, > pam_krb5 wouldn't work with *any* applications whatsoever, not just > sshd. Application don't know about KRB5CCNAME (in general case). And authenticate daemon don't know about KRB5CCNAME. How the demon can learn about need to transfer KRB5CCNAME to application? If called from application pam_krb5 change application environment or context and application don't worry about changes. All be done by PAM modules. > > Also, authenticate daemon (in case authenticate daemon call > > pam_setcred) can't be know what need to transfer (chaneged UID? new > > enviroment? deleted enviroment?) > > Actually, sshd already does most of this by farming PAM out to a child > process. > > DES > -- > Dag-Erling Sm??rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 14:21:57 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 0A085EC9 for ; Tue, 3 Sep 2013 14:21:57 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id B2EEE20F1 for ; Tue, 3 Sep 2013 14:21:56 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:61fd:95c3:8111:539a]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 1FE204AC2D; Tue, 3 Sep 2013 18:21:55 +0400 (MSK) Date: Tue, 3 Sep 2013 18:21:52 +0400 From: Lev Serebryakov Organization: FreeBSD Project X-Priority: 3 (Normal) Message-ID: <1601348478.20130903182152@serebryakov.spb.ru> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <86vc2it2ip.fsf@nine.des.no> References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: lev@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 14:21:57 -0000 Hello, Dag-Erling. You wrote 3 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., = 18:15:26: >> login(1) works. It means, that console and telnet works. ftpd(8) doesn't >> need such excessive session support (single login via ftp? Are you >> kidding?). So, only sshd(8) is broken. And change (dramatically) well-kn= own >> programs (like login(1)) and introduce new subsystem to fix bug (it is >> really a bug) in sshd? I don't think it is sane way to do things. DES> We're not just talking about a bug in sshd. We're talking about a DES> fundamentally broken paradigm which affects *all* applications. How does it affect second-most-used-login application -- login(1)? I know nothing about xdm, gdm, kdm and all other X11 display managers, as I don't use anything UNIX-like on desktops, are they affected too? Or do they work as intended now? Which applications do need this functionality too? ftpd(8)? Is it affected? But I'm not sure, that ftpd(8) needs something like this at all, as I could not imagine any kerberized / single login application run with ftpd as parent. Maybe, my imagination is poor. And, yes, what do you mean by "fundamentally broken paradigm" here? PAM itself? --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 15:25:11 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 9EE55704 for ; Tue, 3 Sep 2013 15:25:11 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 5B85524F3 for ; Tue, 3 Sep 2013 15:25:11 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 7B6C747ED; Tue, 3 Sep 2013 15:25:10 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 93AC933A44; Tue, 3 Sep 2013 17:25:11 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos References: <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> <20130903142205.GL3796@zxy.spb.ru> Date: Tue, 03 Sep 2013 17:25:11 +0200 In-Reply-To: <20130903142205.GL3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Tue, 3 Sep 2013 18:22:05 +0400") Message-ID: <86mwnuszag.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 15:25:11 -0000 Slawa Olhovchenkov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Did you read *anything* that I wrote? > I read. May be I bad writing, sorry for my english. No, your English is fine, but I feel like I'm trying to explain to you that I want to replace a carburetted engine with an injection engine and you keep complaining about how hard it will be to fit the carburettor. I am *not* proposing to move PAM into a daemon. I am proposing something completely new. I thought I made that clear. > Application don't know about KRB5CCNAME (in general case). And > authenticate daemon don't know about KRB5CCNAME. How the demon can > learn about need to transfer KRB5CCNAME to application? KRB5CCNAME is an environment variable. OpenSSH already contains code that copies environment variables from the PAM child process to the main process. The problem is that at this point, the credentials are stored in a temporary cache within the process, rather than a persistent cache, and KRB5CCNAME is not yet set. The temporary cache is lost when the PAM child terminates, before pam_setcred() is called. > If called from application pam_krb5 change application environment or > context and application don't worry about changes. All be done by PAM > modules. Yes. PAM is crap. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 15:31:13 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2C4FDB11; Tue, 3 Sep 2013 15:31:13 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id DD2CC2570; Tue, 3 Sep 2013 15:31:12 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 1A2554822; Tue, 3 Sep 2013 15:31:12 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 3465033A47; Tue, 3 Sep 2013 17:31:13 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: lev@FreeBSD.org Subject: Re: OpenSSH, PAM and kerberos References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no> <1601348478.20130903182152@serebryakov.spb.ru> Date: Tue, 03 Sep 2013 17:31:13 +0200 In-Reply-To: <1601348478.20130903182152@serebryakov.spb.ru> (Lev Serebryakov's message of "Tue, 3 Sep 2013 18:21:52 +0400") Message-ID: <86fvtludku.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 15:31:13 -0000 Lev Serebryakov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > We're not just talking about a bug in sshd. We're talking about a > > fundamentally broken paradigm which affects *all* applications. > How does it affect second-most-used-login application -- login(1)? I don't think login(1) is anywhere near second place - but yes, login(1) is affected too. Everything that uses PAM is affected by the need to have a process wait around to call pam_close_session(). Many, but not all, PAM applications are also affected by PAM's reliance on callbacks for user interaction (this is a major problem for OpenSSH). Performing authentication in the same process that accepts and parses input from potentially hostile users is also a huge security issue, cf. privilege separation. > And, yes, what do you mean by "fundamentally broken paradigm" here? > PAM itself? PAM, NSS, everything. Using separate APIs with separate backends for identification and authentication, shoehorning modern identity databases into the 40-year-old getpwnam() API - everything. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 20:20:53 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2BABE72F for ; Tue, 3 Sep 2013 20:20:53 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id A54B22650 for ; Tue, 3 Sep 2013 20:20:52 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:61fd:95c3:8111:539a]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 3EECA4AC2D; Wed, 4 Sep 2013 00:20:43 +0400 (MSK) Date: Wed, 4 Sep 2013 00:20:38 +0400 From: Lev Serebryakov Organization: FreeBSD Project X-Priority: 3 (Normal) Message-ID: <1289783626.20130904002038@serebryakov.spb.ru> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <86fvtludku.fsf@nine.des.no> References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no> <1601348478.20130903182152@serebryakov.spb.ru> <86fvtludku.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: lev@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 20:20:53 -0000 Hello, Dag-Erling. You wrote 3 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., = 19:31:13: >> How does it affect second-most-used-login application -- login(1)? DES> I don't think login(1) is anywhere near second place - but yes, login(= 1) DES> is affected too. Everything that uses PAM is affected by the need to DES> have a process wait around to call pam_close_session(). Many, but not Yes, if we want to close session, no matter PAM one, wtmp one, anyone, we need to wait session to end somewhere. I don't see any other solution here, with or without PAM. If you will have separate daemon to perform all AAA for all applications, this daemon will need to have child waiting for session e= nd. DES> all, PAM applications are also affected by PAM's reliance on callbacks DES> for user interaction (this is a major problem for OpenSSH). Performing Again, if we want to implement "any" authentication protocol (computer-human here, not computer-computer), which could include not-known-in-advance number of challenge-response-like steps, how could you solve this? You need to interact with user, in many steps. Output one string and read another one is not very hard task, IMHO. Yes, C is known for buffer overruns and things like this, but now it is common place and easy to avoid. Or you will be limited to some subset of authentication protocols, like simple password without ability to do OTP, auth e-tokens and hardware OTP calculators and such. DES> authentication in the same process that accepts and parses input from DES> potentially hostile users is also a huge security issue, cf. privilege DES> separation. Accept input from hostile user is huge security issue per se? Ouch. In modern world there are only hostile users. Yes, all our software has huge security issue, I know that :) >> And, yes, what do you mean by "fundamentally broken paradigm" here? >> PAM itself? DES> PAM, NSS, everything. Using separate APIs with separate backends for DES> identification and authentication, shoehorning modern identity databas= es DES> into the 40-year-old getpwnam() API - everything. As far as I understand, PAM is not 40-years-old getpwnam() API. It is (relative) modern API to replace getpwnam(), with support of modern identity databases in mind. Ok, maybe it is not ideal, but, IMHO, propose new one now is not realistic task. Ok, maybe PAM is not ideal (nothing is), but any API, no matter will it be self-contained library (like PAM) or library which is client to some daemon, will need to have almost same calls as PAM: authenticate user, authorize user, open session, close session... And, yes, any front-end program (like login, sshd or such) will need to call close session after user logout, and it means, it needs to have SOMETHING to call this -- forked child, thread, whatever... Also, daemon will not be able to "show" challenges to user and accept responses. Because frontend program IS one, which interacts with user. No variants. So, callbacks are unavoidable... Ok, we could have special non-privileged process to show "user interface" and sanitize (hostile) user input, it adds additional layer of protection, but authorization should be performed by privileged (root) process, as only such process could switch credentials to user's ones. I don't see how it could help with need to wait session end and why this process should call PAM by itself. And, of course, this process could not be special daemon, as it is frontend (UI) task for sure. And gain here looks to be little, especially for things like sshd, where all user input is received via well-defined protocol with packet lengths, MACs and user input is almost sanitized by this level -- only thing which could be invalid is zero bytes in text data. Do you have any examples, how this could be solved? --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Wed Sep 4 07:53:14 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 24880E32; Wed, 4 Sep 2013 07:53:14 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D2BF22B6B; Wed, 4 Sep 2013 07:53:13 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id C19324D69; Wed, 4 Sep 2013 07:53:12 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 3A26F33B57; Wed, 4 Sep 2013 09:53:14 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: lev@FreeBSD.org Subject: Re: OpenSSH, PAM and kerberos References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no> <1601348478.20130903182152@serebryakov.spb.ru> <86fvtludku.fsf@nine.des.no> <1289783626.20130904002038@serebryakov.spb.ru> Date: Wed, 04 Sep 2013 09:53:14 +0200 In-Reply-To: <1289783626.20130904002038@serebryakov.spb.ru> (Lev Serebryakov's message of "Wed, 4 Sep 2013 00:20:38 +0400") Message-ID: <867gext445.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2013 07:53:14 -0000 Lev Serebryakov writes: > Accept input from hostile user is huge security issue per se? Ouch. In > modern world there are only hostile users. Yes, all our software has > huge security issue, I know that :) Please look up "privilege separation" on Wikipedia so you have at least *some* idea of what we're talking about. > As far as I understand, PAM is not 40-years-old getpwnam() API. It is > (relative) modern API to replace getpwnam(), with support of modern > identity databases in mind. No, PAM does not replace getpwnam(). PAM does not handle identity at all. NSS handles identity with the old getpwnam() API. I'm not going to answer the rest - it is so full of misconceptions, fallacies and incorrect assumptions that I simply don't have the energy. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Sep 4 08:56:11 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 35576928; Wed, 4 Sep 2013 08:56:11 +0000 (UTC) (envelope-from marck@rinet.ru) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AC8342FC3; Wed, 4 Sep 2013 08:56:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.14.5/8.14.5) with ESMTP id r848u1wv002048; Wed, 4 Sep 2013 12:56:01 +0400 (MSK) (envelope-from marck@rinet.ru) Date: Wed, 4 Sep 2013 12:56:01 +0400 (MSK) From: Dmitry Morozovsky To: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <867gext445.fsf@nine.des.no> Message-ID: References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no> <1601348478.20130903182152@serebryakov.spb.ru> <86fvtludku.fsf@nine.des.no> <1289783626.20130904002038@serebryakov.spb.ru> <867gext445.fsf@nine.des.no> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-NCC-RegID: ru.rinet X-OpenPGP-Key-ID: 6B691B03 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (woozle.rinet.ru [0.0.0.0]); Wed, 04 Sep 2013 12:56:01 +0400 (MSK) Cc: freebsd-security@freebsd.org, lev@freebsd.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2013 08:56:11 -0000 Dag-Egling, On Wed, 4 Sep 2013, Dag-Erling Sm?rgrav wrote: > I'm not going to answer the rest - it is so full of misconceptions, > fallacies and incorrect assumptions that I simply don't have the > energy. Maybe it would help if we would have some kind of diagram showing different parts/phases of security- and credentials-related decision making processes? Or, is it somewhere in our resources already? I suppose this would decrease misunderstanding. (and, yes, Dag-Erling, *you* are one of the most security-related people with deepest knowledge, not we, so we kindly ask you dumb questions :) Thank you! -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Wed Sep 4 09:07:07 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 71026DF8 for ; Wed, 4 Sep 2013 09:07:07 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 30DE820D7 for ; Wed, 4 Sep 2013 09:07:07 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:7dc1:973c:6b7:22ac]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 74D6B4AC2D; Wed, 4 Sep 2013 13:07:05 +0400 (MSK) Date: Wed, 4 Sep 2013 13:07:01 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <141305885.20130904130701@serebryakov.spb.ru> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <867gext445.fsf@nine.des.no> References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no> <1601348478.20130903182152@serebryakov.spb.ru> <86fvtludku.fsf@nine.des.no> <1289783626.20130904002038@serebryakov.spb.ru> <867gext445.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2013 09:07:07 -0000 Hello, Dag-Erling. You wrote 4 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., = 11:53:14: DES> Lev Serebryakov writes: >> Accept input from hostile user is huge security issue per se? Ouch. In >> modern world there are only hostile users. Yes, all our software has >> huge security issue, I know that :) DES> Please look up "privilege separation" on Wikipedia so you have at least DES> *some* idea of what we're talking about. I have *some* idea what "privilege separation" is, thank you. >> As far as I understand, PAM is not 40-years-old getpwnam() API. It is >> (relative) modern API to replace getpwnam(), with support of modern >> identity databases in mind. DES> No, PAM does not replace getpwnam(). PAM does not handle identity at DES> all. NSS handles identity with the old getpwnam() API. Ouch. Why didn't you see, that it was quotation from your message? I know, that PAM is not exact replacement for getpwnam(), as it only "check password" (please, don't point me out, that it could do more than "check password", I know, and I use quotes here to point at fact that it some simplification), but I thought, that you use this concrete function call as meta-name for all old AAA/identity API from POSIX, and I accept it. DES> I'm not going to answer the rest - it is so full of misconceptions, DES> fallacies and incorrect assumptions that I simply don't have the DES> energy. BTW, you wrote in other message: DES> I am *not* proposing to move PAM into a daemon. I am proposing DES> something completely new. I thought I made that clear. No, you didn't make it clear. All your previous messages left impression, that you propose to move PAM API to separate daemon with somewhat simplier API, accessible via socket. Do you have any notes, draft, whatever, about what you propose exactly, more specific than "we need AAA/identity daemon instead of all old APIs"? --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Wed Sep 4 10:20:18 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 5D09F1C4 for ; Wed, 4 Sep 2013 10:20:18 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id DF5A725F1 for ; Wed, 4 Sep 2013 10:20:17 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:7dc1:973c:6b7:22ac]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 42A094AC31; Wed, 4 Sep 2013 14:20:16 +0400 (MSK) Date: Wed, 4 Sep 2013 14:20:12 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <1943226951.20130904142012@serebryakov.spb.ru> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <86mwnuszag.fsf@nine.des.no> References: <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> <20130903142205.GL3796@zxy.spb.ru> <86mwnuszag.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2013 10:20:18 -0000 Hello, Dag-Erling. You wrote 3 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., = 19:25:11: DES> I am *not* proposing to move PAM into a daemon. I am proposing DES> something completely new. I thought I made that clear. I totally agree with Dmitry Morozovsky's words, so, please, don't read my words as arguing with you, but rather as questions I try to write some short list of requirements to this completely new solution, where am I wrong? I'm sure, I am, but, where? Thank you. (1) It should support loadable backends from very beginning, or we will end with NSS-like hacks and kludges (yes, I'm totally agree with you, that NSS is ugly hack). (2) It should run most of backends with dropped privileges -- you don't need to be "root" to connect to LDAP or KRB server, for example, and better do this from restricted account. (3) It should be able to run SOME PARTS of SOME backends with super-user privileges, as one of backends should be able to read system password (shadow) file, as we want to support good old /etc/master.passwd. pam_ssh-like backend need to read user's private key, too. (4) It should support "partial" backends, which doesn't support all AAA functions. One backend could be used only for authentication (like pam_ssh) and other for identity management (like LDAP without authorization). So, complete feature set could be obtained from SET of backends, not only one backend in time (it looks hard to do properly and flexible enough). (5) It should be able to run some backends parts (callbacks?) after switching privileges to authenticated user. For example, kerberos backed should be able to store credentials file in user home directory with user access rights. Backends should be able to communicate to core of daemon to specify which parts should be run with which privileges. Again, it doesn't look easy to do properly. (6) It should provide channel for backend to pass any information from one privilege domain to other one, as kerberos backend should be able to pass ticket from restricted domain (where kerberos protocol is implemented) to user or superuser domain (to store in file in user direcotory). (7) It should provide some API for challenge-response like converstation with user. (8) It should provide some API for session tracking for accounting and some way for backends to clean-up at session end (it is most questionable part, IMHO, as it hard to do without zillions of sleeping processes when users are logged-in). (9) "old" API should be mapped to this daemon, instead of NSS, as we have multitude programs in ports, which doesn't know about this new API (ouch, I don't like this part). (10) Many backends should be re-implemented from NSS or PAM API (and I don't like this one too). Generic wrappers for NSS and/or PAM modules looks complicated and, again, is the same "crap" as NSS and PAM themselves. --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Wed Sep 4 11:12:41 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3DD0BC35; Wed, 4 Sep 2013 11:12:41 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id EECE129AD; Wed, 4 Sep 2013 11:12:40 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 0AD5141DE; Wed, 4 Sep 2013 11:12:40 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 8CC1C33B9E; Wed, 4 Sep 2013 13:12:41 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Dmitry Morozovsky Subject: Re: OpenSSH, PAM and kerberos References: <86sixrwdcv.fsf@nine.des.no> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no> <1601348478.20130903182152@serebryakov.spb.ru> <86fvtludku.fsf@nine.des.no> <1289783626.20130904002038@serebryakov.spb.ru> <867gext445.fsf@nine.des.no> Date: Wed, 04 Sep 2013 13:12:41 +0200 In-Reply-To: (Dmitry Morozovsky's message of "Wed, 4 Sep 2013 12:56:01 +0400 (MSK)") Message-ID: <86ob88rgba.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, lev@freebsd.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2013 11:12:41 -0000 Dmitry Morozovsky writes: > Maybe it would help if we would have some kind of diagram showing differe= nt=20 > parts/phases of security- and credentials-related decision making process= es? http://www.youtube.com/watch?v=3DiRQvrrIhq0k (if I seem a little confused at times, it's because I was sick and hadn't slept and had spent the previous day rewriting my presentation almost from scratch) I'll post it on my blog (http://blog.des.no/) later today or tomorrow with a few additional comments (one of which is that Apple's security framework is *not* called CDDL - that was a slip of the tongue - but the specification really *is* 1000+ pages long) I'm giving a followup presentation at EuroBSDCon 2013 in St Julians, Malta in a couple of weeks, which will focus less on the problem and more on the solution. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Sep 4 12:07:31 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id B6A87B56 for ; Wed, 4 Sep 2013 12:07:31 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 75D282D4B for ; Wed, 4 Sep 2013 12:07:31 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:7dc1:973c:6b7:22ac]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 053AC4AC2D; Wed, 4 Sep 2013 16:07:28 +0400 (MSK) Date: Wed, 4 Sep 2013 16:07:24 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <998999486.20130904160724@serebryakov.spb.ru> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <86ob88rgba.fsf@nine.des.no> References: <86sixrwdcv.fsf@nine.des.no> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no> <1601348478.20130903182152@serebryakov.spb.ru> <86fvtludku.fsf@nine.des.no> <1289783626.20130904002038@serebryakov.spb.ru> <867gext445.fsf@nine.des.no> <86ob88rgba.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Dmitry Morozovsky , Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2013 12:07:31 -0000 Hello, Dag-Erling. You wrote 4 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., = 15:12:41: DES> Dmitry Morozovsky writes: >> Maybe it would help if we would have some kind of diagram showing differ= ent=20 >> parts/phases of security- and credentials-related decision making proces= ses? DES> http://www.youtube.com/watch?v=3DiRQvrrIhq0k DES> (if I seem a little confused at times, it's because I was sick and DES> hadn't slept and had spent the previous day rewriting my presentation DES> almost from scratch) DES> I'll post it on my blog (http://blog.des.no/) later today or tomorrow DES> with a few additional comments (one of which is that Apple's security DES> framework is *not* called CDDL - that was a slip of the tongue - but t= he DES> specification really *is* 1000+ pages long) DES> I'm giving a followup presentation at EuroBSDCon 2013 in St Julians, DES> Malta in a couple of weeks, which will focus less on the problem and DES> more on the solution. Thank you! I'm regretting, I will not be at Malta :( But tickets from Russia are really expensive :( --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Wed Sep 4 13:02:51 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 1CBEAE48; Wed, 4 Sep 2013 13:02:51 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D061D21CE; Wed, 4 Sep 2013 13:02:50 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id CC8F34359; Wed, 4 Sep 2013 13:02:49 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 5EC8933BB8; Wed, 4 Sep 2013 15:02:21 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Lev Serebryakov Subject: Re: OpenSSH, PAM and kerberos References: <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> <20130903142205.GL3796@zxy.spb.ru> <86mwnuszag.fsf@nine.des.no> <1943226951.20130904142012@serebryakov.spb.ru> Date: Wed, 04 Sep 2013 15:02:21 +0200 In-Reply-To: <1943226951.20130904142012@serebryakov.spb.ru> (Lev Serebryakov's message of "Wed, 4 Sep 2013 14:20:12 +0400") Message-ID: <86k3iwrb8i.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2013 13:02:51 -0000 Lev Serebryakov writes: > I try to write some short list of requirements to this completely new > solution, where am I wrong? I'm sure, I am, but, where? Thank you. This is a very good list, and very close to what I was thinking. Some items, e.g. (1) and (4), seem blindingly obvious to me, but perhaps not to everybody. Regarding compatibility: support for the legacy getpw* API is an absolute requirement. If we can't achieve that, we can just forget about the whole thing. NSS and PAM compatibility, however, would be on a "best effort" basis. Allowing existing applications to use the new framework through NSS and PAM should be fairly easy. Allowing the new framework to use existing NSS and PAM modules would be hard, and probably not worth the effort if we can provide plugins for the most important backends (LDAP, Kerberos, RADIUS, OATH...) from day one. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Sep 4 13:28:23 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id E8F29918; Wed, 4 Sep 2013 13:28:23 +0000 (UTC) (envelope-from marck@rinet.ru) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6D62823EE; Wed, 4 Sep 2013 13:28:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.14.5/8.14.5) with ESMTP id r84DSK1l007450; Wed, 4 Sep 2013 17:28:20 +0400 (MSK) (envelope-from marck@rinet.ru) Date: Wed, 4 Sep 2013 17:28:20 +0400 (MSK) From: Dmitry Morozovsky To: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= Subject: Re: OpenSSH, PAM and kerberos In-Reply-To: <86ob88rgba.fsf@nine.des.no> Message-ID: References: <86sixrwdcv.fsf@nine.des.no> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no> <1601348478.20130903182152@serebryakov.spb.ru> <86fvtludku.fsf@nine.des.no> <1289783626.20130904002038@serebryakov.spb.ru> <867gext445.fsf@nine.des.no> <86ob88rgba.fsf@nine.des.no> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-NCC-RegID: ru.rinet X-OpenPGP-Key-ID: 6B691B03 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (woozle.rinet.ru [0.0.0.0]); Wed, 04 Sep 2013 17:28:20 +0400 (MSK) Cc: freebsd-security@freebsd.org, lev@freebsd.org, Slawa Olhovchenkov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2013 13:28:24 -0000 On Wed, 4 Sep 2013, Dag-Erling Sm?rgrav wrote: > > Maybe it would help if we would have some kind of diagram showing different > > parts/phases of security- and credentials-related decision making processes? > > http://www.youtube.com/watch?v=iRQvrrIhq0k Thanks a lot! (a little bit lengthy, but that's not a problem) -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Thu Sep 5 18:43:13 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2C7988C0; Thu, 5 Sep 2013 18:43:13 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id DC2FF27E6; Thu, 5 Sep 2013 18:43:12 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VHeYP-00099F-Dc; Thu, 05 Sep 2013 22:45:17 +0400 Date: Thu, 5 Sep 2013 22:45:17 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130905184517.GB34714@zxy.spb.ru> References: <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> <5010498171.20130903174620@serebryakov.spb.ru> <86r4d6t2hl.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86r4d6t2hl.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org, Lev Serebryakov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Sep 2013 18:43:13 -0000 On Tue, Sep 03, 2013 at 04:16:06PM +0200, Dag-Erling Sm??rgrav wrote: > Lev Serebryakov writes: > > "Dag-Erling Sm??rgrav" writes: > > > Actually, sshd already does most of this by farming PAM out to a > > > child process. > > And, IMHO, proper way to fix this bug is to fix it here, as "most of > > things" is already done. > > Feel free to submit patches. Now I found next strange behaviour: for account with not found login class sshd refuse GSSAPIAuthentication. Telnet don't do this strange restriction. (I use login class 'me' in Kerberos/NIS setup). From owner-freebsd-security@FreeBSD.ORG Fri Sep 6 07:40:02 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 519912A4; Fri, 6 Sep 2013 07:40:02 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 108C42108; Fri, 6 Sep 2013 07:40:02 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 2D9204DD3; Fri, 6 Sep 2013 07:40:01 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 87FC333E73; Fri, 6 Sep 2013 09:39:33 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos References: <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> <5010498171.20130903174620@serebryakov.spb.ru> <86r4d6t2hl.fsf@nine.des.no> <20130905184517.GB34714@zxy.spb.ru> Date: Fri, 06 Sep 2013 09:39:33 +0200 In-Reply-To: <20130905184517.GB34714@zxy.spb.ru> (Slawa Olhovchenkov's message of "Thu, 5 Sep 2013 22:45:17 +0400") Message-ID: <86a9jqpfey.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Lev Serebryakov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Sep 2013 07:40:02 -0000 Slawa Olhovchenkov writes: > Now I found next strange behaviour: for account with not found login > class sshd refuse GSSAPIAuthentication. Hmm, I think that's an upstream issue. Try asking on the OpenSSH portable mailing list (openssh-unix-dev@mindrot.org) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Sep 6 07:52:00 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 5AB1B85B; Fri, 6 Sep 2013 07:52:00 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id 153D822B9; Fri, 6 Sep 2013 07:51:59 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VHqrk-0003on-GU; Fri, 06 Sep 2013 11:54:04 +0400 Date: Fri, 6 Sep 2013 11:54:04 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130906075404.GW3796@zxy.spb.ru> References: <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> <5010498171.20130903174620@serebryakov.spb.ru> <86r4d6t2hl.fsf@nine.des.no> <20130905184517.GB34714@zxy.spb.ru> <86a9jqpfey.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86a9jqpfey.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org, Lev Serebryakov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Sep 2013 07:52:00 -0000 On Fri, Sep 06, 2013 at 09:39:33AM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov writes: > > Now I found next strange behaviour: for account with not found login > > class sshd refuse GSSAPIAuthentication. > > Hmm, I think that's an upstream issue. Try asking on the OpenSSH And `su` from root to this account also refused, with message 'pam_acct_mgmt: error in service module'. Creatin ~/.login_conf resolve this. May be this is PAM issue? Or libutil? > portable mailing list (openssh-unix-dev@mindrot.org) My previos message to this list silently lost.