From owner-freebsd-security@FreeBSD.ORG Fri Aug 30 13:12:51 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 9D747E39 for ; Fri, 30 Aug 2013 13:12:51 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id 570EB2378 for ; Fri, 30 Aug 2013 13:12:51 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VFOXP-0002Hm-St; Fri, 30 Aug 2013 17:14:55 +0400 Date: Fri, 30 Aug 2013 17:14:55 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130830131455.GW3796@zxy.spb.ru> References: <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86sixrwdcv.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Aug 2013 13:12:51 -0000 On Fri, Aug 30, 2013 at 02:51:44PM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov writes: > > Dag-Erling Sm??rgrav writes: > > > PAM authentication in OpenSSH was broken for non-trivial cases when > > > privilege separation was implemented. Fixing it properly would be > > > very difficult. > > Same behaviour with 'UsePrivilegeSeparation no'. This issuse not in > > privilege separation, this is because PAM authentication use pthread > > emulation throw fork(). > > Please don't tell me how the code works. I wrote it - or rather, I > wrote a version that worked, before the OpenSSH developers implemented > privilege separation and had to break the PAM integration code to make > it fit. Even if you #define UNSUPPORTED_POSIX_THREADS_HACK to use > threads instead of a subprocess, OpenSSH will still call pam_start() > twice and lose the data stored in the authentication phase before > running the session phase. Hmmm, now I try to compile sshd with UNSUPPORTED_POSIX_THREADS_HACK and it works (/tmp/krb5cc_NNNN created, kerberosied login to other host working w/o entering password). And I see only one record in log file (debug1: PAM: initializing for "slw") What I missed? PS: UsePrivilegeSeparation yes > (this is technically an abuse of the PAM API; I should probably add a > few lines to the OpenPAM dispatcher so it logs an error every time an > application tries to open a session without first authenticating) > > DES > -- > Dag-Erling Sm??rgrav - des@des.no