From owner-freebsd-security@FreeBSD.ORG  Tue Sep  3 14:21:57 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 0A085EC9
 for <freebsd-security@FreeBSD.org>; Tue,  3 Sep 2013 14:21:57 +0000 (UTC)
 (envelope-from lev@FreeBSD.org)
Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru
 [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id B2EEE20F1
 for <freebsd-security@FreeBSD.org>; Tue,  3 Sep 2013 14:21:56 +0000 (UTC)
Received: from lion.home.serebryakov.spb.ru (unknown
 [IPv6:2001:470:923f:1:61fd:95c3:8111:539a])
 (Authenticated sender: lev@serebryakov.spb.ru)
 by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 1FE204AC2D;
 Tue,  3 Sep 2013 18:21:55 +0400 (MSK)
Date: Tue, 3 Sep 2013 18:21:52 +0400
From: Lev Serebryakov <lev@FreeBSD.org>
Organization: FreeBSD Project
X-Priority: 3 (Normal)
Message-ID: <1601348478.20130903182152@serebryakov.spb.ru>
To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
Subject: Re: OpenSSH, PAM and kerberos
In-Reply-To: <86vc2it2ip.fsf@nine.des.no>
References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru>
 <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru>
 <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru>
 <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru>
 <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru>
 <20130903103922.GI3796@zxy.spb.ru>
 <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no>
 <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no>
 <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov <slw@zxy.spb.ru>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: lev@FreeBSD.org
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 14:21:57 -0000

Hello, Dag-Erling.
You wrote 3 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., =
18:15:26:

>> login(1) works. It means, that console and telnet works. ftpd(8) doesn't
>> need such excessive session support (single login via ftp? Are you
>> kidding?). So, only sshd(8) is broken. And change (dramatically) well-kn=
own
>> programs (like login(1)) and introduce new subsystem to fix bug (it is
>> really a bug) in sshd? I don't think it is sane way to do things.
DES> We're not just talking about a bug in sshd.  We're talking about a
DES> fundamentally broken paradigm which affects *all* applications.
 How does it affect second-most-used-login application -- login(1)?

 I know nothing about xdm, gdm, kdm and all other X11 display managers, as I
don't use anything UNIX-like on desktops, are they affected too? Or do they
work as intended now?

 Which applications do need this functionality too? ftpd(8)? Is it affected?
But I'm not sure, that ftpd(8) needs something like this at all, as I could
not imagine any kerberized / single login application run with ftpd as
parent. Maybe, my imagination is poor.

 And, yes, what do you mean by "fundamentally broken paradigm" here? PAM
itself?

--=20
// Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>