Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 2 Sep 2013 22:17:54 +0400
From:      Slawa Olhovchenkov <slw@zxy.spb.ru>
To:        Dag-Erling Sm??rgrav <des@des.no>
Cc:        freebsd-security@FreeBSD.org
Subject:   Re: OpenSSH, PAM and kerberos
Message-ID:  <20130902181754.GD3796@zxy.spb.ru>
In-Reply-To: <8661uj9lc6.fsf@nine.des.no>
References:  <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Sep 02, 2013 at 07:36:57PM +0200, Dag-Erling Sm??rgrav wrote:

> Slawa Olhovchenkov <slw@zxy.spb.ru> writes:
> > Hmmm, now I try to compile sshd with UNSUPPORTED_POSIX_THREADS_HACK and
> > it works (/tmp/krb5cc_NNNN created, kerberosied login to other host
> > working w/o entering password). 
> 
> So they didn't break the thread version?  You shouldn't use it, though,
> as the rest of OpenSSH is not thread-safe.  The threads are only
> partially synchronized, and service modules may for instance call
> getpwent() and thereby clobber global state which OpenSSH relies on.

As I understand interaction between sshd and pam subsystem occur next:

1. sshd need pam auth
2. call sshpam_init_ctx
3. sshpam_init_ctx do sshpam_init
4. sshpam_init_ctx for non-blocking processing do
   pthread_create(sshpam_thread) (emulated by fork).
5. in child process sshpam_thread do pam_authenticate and store cred.
6. child process terminated by sshpam_free_ctx
7. sshd do pam_setcred for context from [2] (and lost cred in child
   process).
8. sshd fork less-priveleged child
9. child terminated
10. pam session closed.


If in this scenario on step 4 insted fork do pthread_create we don't
lost stored credentials and (I think) have full-synchronized thread
(new thred only work by request from parent and only for short time).

W/o thread we need constanly run 3 sshd: unpriveleged, priveleged
worked witch pam and master process.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130902181754.GD3796>