From owner-freebsd-security@FreeBSD.ORG Fri Aug 30 12:51:49 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3F4AD12A for ; Fri, 30 Aug 2013 12:51:49 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 0352021E3 for ; Fri, 30 Aug 2013 12:51:48 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 1A57D409B; Fri, 30 Aug 2013 12:51:48 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 869EF29D25; Fri, 30 Aug 2013 14:51:44 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos References: <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> Date: Fri, 30 Aug 2013 14:51:44 +0200 In-Reply-To: <20130830103009.GV3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Fri, 30 Aug 2013 14:30:09 +0400") Message-ID: <86sixrwdcv.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Aug 2013 12:51:49 -0000 Slawa Olhovchenkov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > PAM authentication in OpenSSH was broken for non-trivial cases when > > privilege separation was implemented. Fixing it properly would be > > very difficult. > Same behaviour with 'UsePrivilegeSeparation no'. This issuse not in > privilege separation, this is because PAM authentication use pthread > emulation throw fork(). Please don't tell me how the code works. I wrote it - or rather, I wrote a version that worked, before the OpenSSH developers implemented privilege separation and had to break the PAM integration code to make it fit. Even if you #define UNSUPPORTED_POSIX_THREADS_HACK to use threads instead of a subprocess, OpenSSH will still call pam_start() twice and lose the data stored in the authentication phase before running the session phase. (this is technically an abuse of the PAM API; I should probably add a few lines to the OpenPAM dispatcher so it logs an error every time an application tries to open a session without first authenticating) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no