From owner-freebsd-security@FreeBSD.ORG Fri Aug 30 10:28:03 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id E5433F71 for ; Fri, 30 Aug 2013 10:28:03 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id 9F0EA28E4 for ; Fri, 30 Aug 2013 10:28:03 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VFLxx-0000lc-1k; Fri, 30 Aug 2013 14:30:09 +0400 Date: Fri, 30 Aug 2013 14:30:09 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130830103009.GV3796@zxy.spb.ru> References: <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130830100926.GU3796@zxy.spb.ru> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Aug 2013 10:28:04 -0000 On Fri, Aug 30, 2013 at 02:09:26PM +0400, Slawa Olhovchenkov wrote: > On Fri, Aug 30, 2013 at 09:44:54AM +0200, Dag-Erling Sm??rgrav wrote: > > > Slawa Olhovchenkov writes: > > > I am try to setup single sign-on and found this is imposuble due to > > > bug in OpenSSH: currently sshd do pam_authenticate() and > > > pam_acct_mgmt() from child process, but pam_setcred() from paren > > > proccess. pam_krb5 in pam_sm_setcred() required information from > > > pam_sm_authenticate and can't work corretly (can't create > > > /tmp/krb5cc_NNNN, can't set envirompent KRB5CCNAME and so). > > > > PAM authentication in OpenSSH was broken for non-trivial cases when > > privilege separation was implemented. Fixing it properly would be very > > difficult. > > Same behaviour with 'UsePrivilegeSeparation no'. > This issuse not in privilege separation, this is because PAM authentication use pthread emulation throw fork().