OpenSSH, PAM and kerberos
slw at zxy.spb.ru
Fri Aug 30 13:12:51 UTC 2013
On Fri, Aug 30, 2013 at 02:51:44PM +0200, Dag-Erling Sm??rgrav wrote:
> Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> > Dag-Erling Sm??rgrav <des at des.no> writes:
> > > PAM authentication in OpenSSH was broken for non-trivial cases when
> > > privilege separation was implemented. Fixing it properly would be
> > > very difficult.
> > Same behaviour with 'UsePrivilegeSeparation no'. This issuse not in
> > privilege separation, this is because PAM authentication use pthread
> > emulation throw fork().
> Please don't tell me how the code works. I wrote it - or rather, I
> wrote a version that worked, before the OpenSSH developers implemented
> privilege separation and had to break the PAM integration code to make
> it fit. Even if you #define UNSUPPORTED_POSIX_THREADS_HACK to use
> threads instead of a subprocess, OpenSSH will still call pam_start()
> twice and lose the data stored in the authentication phase before
> running the session phase.
Hmmm, now I try to compile sshd with UNSUPPORTED_POSIX_THREADS_HACK and
it works (/tmp/krb5cc_NNNN created, kerberosied login to other host
working w/o entering password).
And I see only one record in log file (debug1: PAM: initializing for "slw")
What I missed?
PS: UsePrivilegeSeparation yes
> (this is technically an abuse of the PAM API; I should probably add a
> few lines to the OpenPAM dispatcher so it logs an error every time an
> application tries to open a session without first authenticating)
> Dag-Erling Sm??rgrav - des at des.no
More information about the freebsd-security