OpenSSH, PAM and kerberos

Slawa Olhovchenkov slw at
Fri Aug 30 13:12:51 UTC 2013

On Fri, Aug 30, 2013 at 02:51:44PM +0200, Dag-Erling Sm??rgrav wrote:

> Slawa Olhovchenkov <slw at> writes:
> > Dag-Erling Sm??rgrav <des at> writes:
> > > PAM authentication in OpenSSH was broken for non-trivial cases when
> > > privilege separation was implemented.  Fixing it properly would be
> > > very difficult.
> > Same behaviour with 'UsePrivilegeSeparation no'.  This issuse not in
> > privilege separation, this is because PAM authentication use pthread
> > emulation throw fork().
> Please don't tell me how the code works.  I wrote it - or rather, I
> wrote a version that worked, before the OpenSSH developers implemented
> privilege separation and had to break the PAM integration code to make
> it fit.  Even if you #define UNSUPPORTED_POSIX_THREADS_HACK to use
> threads instead of a subprocess, OpenSSH will still call pam_start()
> twice and lose the data stored in the authentication phase before
> running the session phase.

Hmmm, now I try to compile sshd with UNSUPPORTED_POSIX_THREADS_HACK and
it works (/tmp/krb5cc_NNNN created, kerberosied login to other host
working w/o entering password). 

And I see only one record in log file (debug1: PAM: initializing for "slw")

What I missed?

PS: UsePrivilegeSeparation yes

> (this is technically an abuse of the PAM API; I should probably add a
> few lines to the OpenPAM dispatcher so it logs an error every time an
> application tries to open a session without first authenticating)
> -- 
> Dag-Erling Sm??rgrav - des at

More information about the freebsd-security mailing list