Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 03 Sep 2013 17:31:13 +0200
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To:        lev@FreeBSD.org
Cc:        freebsd-security@FreeBSD.org, Slawa Olhovchenkov <slw@zxy.spb.ru>
Subject:   Re: OpenSSH, PAM and kerberos
Message-ID:  <86fvtludku.fsf@nine.des.no>
In-Reply-To: <1601348478.20130903182152@serebryakov.spb.ru> (Lev Serebryakov's message of "Tue, 3 Sep 2013 18:21:52 %2B0400")
References:  <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no> <1601348478.20130903182152@serebryakov.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
Lev Serebryakov <lev@FreeBSD.org> writes:
> Dag-Erling Sm=C3=B8rgrav <des@des.no> writes:
> > We're not just talking about a bug in sshd.  We're talking about a
> > fundamentally broken paradigm which affects *all* applications.
> How does it affect second-most-used-login application -- login(1)?

I don't think login(1) is anywhere near second place - but yes, login(1)
is affected too.  Everything that uses PAM is affected by the need to
have a process wait around to call pam_close_session().  Many, but not
all, PAM applications are also affected by PAM's reliance on callbacks
for user interaction (this is a major problem for OpenSSH).  Performing
authentication in the same process that accepts and parses input from
potentially hostile users is also a huge security issue, cf. privilege
separation.

> And, yes, what do you mean by "fundamentally broken paradigm" here?
> PAM itself?

PAM, NSS, everything.  Using separate APIs with separate backends for
identification and authentication, shoehorning modern identity databases
into the 40-year-old getpwnam() API - everything.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86fvtludku.fsf>