Date: Fri, 30 Aug 2013 14:51:44 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Slawa Olhovchenkov <slw@zxy.spb.ru> Cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSH, PAM and kerberos Message-ID: <86sixrwdcv.fsf@nine.des.no> In-Reply-To: <20130830103009.GV3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Fri, 30 Aug 2013 14:30:09 %2B0400") References: <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Slawa Olhovchenkov <slw@zxy.spb.ru> writes: > Dag-Erling Sm=C3=B8rgrav <des@des.no> writes: > > PAM authentication in OpenSSH was broken for non-trivial cases when > > privilege separation was implemented. Fixing it properly would be > > very difficult. > Same behaviour with 'UsePrivilegeSeparation no'. This issuse not in > privilege separation, this is because PAM authentication use pthread > emulation throw fork(). Please don't tell me how the code works. I wrote it - or rather, I wrote a version that worked, before the OpenSSH developers implemented privilege separation and had to break the PAM integration code to make it fit. Even if you #define UNSUPPORTED_POSIX_THREADS_HACK to use threads instead of a subprocess, OpenSSH will still call pam_start() twice and lose the data stored in the authentication phase before running the session phase. (this is technically an abuse of the PAM API; I should probably add a few lines to the OpenPAM dispatcher so it logs an error every time an application tries to open a session without first authenticating) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86sixrwdcv.fsf>