From owner-freebsd-security@FreeBSD.ORG Mon Sep 2 18:15:49 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 8A00BE4 for ; Mon, 2 Sep 2013 18:15:49 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id 46AE327FD for ; Mon, 2 Sep 2013 18:15:49 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VGYhG-0008HJ-69; Mon, 02 Sep 2013 22:17:54 +0400 Date: Mon, 2 Sep 2013 22:17:54 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130902181754.GD3796@zxy.spb.ru> References: <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8661uj9lc6.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Sep 2013 18:15:49 -0000 On Mon, Sep 02, 2013 at 07:36:57PM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov writes: > > Hmmm, now I try to compile sshd with UNSUPPORTED_POSIX_THREADS_HACK and > > it works (/tmp/krb5cc_NNNN created, kerberosied login to other host > > working w/o entering password). > > So they didn't break the thread version? You shouldn't use it, though, > as the rest of OpenSSH is not thread-safe. The threads are only > partially synchronized, and service modules may for instance call > getpwent() and thereby clobber global state which OpenSSH relies on. As I understand interaction between sshd and pam subsystem occur next: 1. sshd need pam auth 2. call sshpam_init_ctx 3. sshpam_init_ctx do sshpam_init 4. sshpam_init_ctx for non-blocking processing do pthread_create(sshpam_thread) (emulated by fork). 5. in child process sshpam_thread do pam_authenticate and store cred. 6. child process terminated by sshpam_free_ctx 7. sshd do pam_setcred for context from [2] (and lost cred in child process). 8. sshd fork less-priveleged child 9. child terminated 10. pam session closed. If in this scenario on step 4 insted fork do pthread_create we don't lost stored credentials and (I think) have full-synchronized thread (new thred only work by request from parent and only for short time). W/o thread we need constanly run 3 sshd: unpriveleged, priveleged worked witch pam and master process.