OpenSSH, PAM and kerberos

Dag-Erling Smørgrav des at
Fri Aug 30 12:51:49 UTC 2013

Slawa Olhovchenkov <slw at> writes:
> Dag-Erling Smørgrav <des at> writes:
> > PAM authentication in OpenSSH was broken for non-trivial cases when
> > privilege separation was implemented.  Fixing it properly would be
> > very difficult.
> Same behaviour with 'UsePrivilegeSeparation no'.  This issuse not in
> privilege separation, this is because PAM authentication use pthread
> emulation throw fork().

Please don't tell me how the code works.  I wrote it - or rather, I
wrote a version that worked, before the OpenSSH developers implemented
privilege separation and had to break the PAM integration code to make
it fit.  Even if you #define UNSUPPORTED_POSIX_THREADS_HACK to use
threads instead of a subprocess, OpenSSH will still call pam_start()
twice and lose the data stored in the authentication phase before
running the session phase.

(this is technically an abuse of the PAM API; I should probably add a
few lines to the OpenPAM dispatcher so it logs an error every time an
application tries to open a session without first authenticating)

Dag-Erling Smørgrav - des at

More information about the freebsd-security mailing list