OpenSSH, PAM and kerberos
des at des.no
Fri Aug 30 12:51:49 UTC 2013
Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> Dag-Erling Smørgrav <des at des.no> writes:
> > PAM authentication in OpenSSH was broken for non-trivial cases when
> > privilege separation was implemented. Fixing it properly would be
> > very difficult.
> Same behaviour with 'UsePrivilegeSeparation no'. This issuse not in
> privilege separation, this is because PAM authentication use pthread
> emulation throw fork().
Please don't tell me how the code works. I wrote it - or rather, I
wrote a version that worked, before the OpenSSH developers implemented
privilege separation and had to break the PAM integration code to make
it fit. Even if you #define UNSUPPORTED_POSIX_THREADS_HACK to use
threads instead of a subprocess, OpenSSH will still call pam_start()
twice and lose the data stored in the authentication phase before
running the session phase.
(this is technically an abuse of the PAM API; I should probably add a
few lines to the OpenPAM dispatcher so it logs an error every time an
application tries to open a session without first authenticating)
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security