[OpenAFS] home on afs woes
Jeffrey Hutzelman
jhutz@cmu.edu
Fri, 13 Jan 2006 17:06:10 -0500
On Thursday, January 12, 2006 06:41:21 PM -0800 Russ Allbery
<rra@stanford.edu> wrote:
> Jeffrey Hutzelman <jhutz@cmu.edu> writes:
>
>> However, they do it that way not as part of some misguided attempt at
>> "security", but because of the constraints imposed by the way their SSH
>> protocol parser interacts with keyboard-interactive. Fixing it would
>> require significant work, not to mention actually getting the fix
>> accepted.
>
> Could you give me more details on why that would be the case? It doesn't
> intuitively make sense to me why proxying the PAM interaction through yet
> another level of indirection would help. Some kind of a deadlock
> situation where you don't know which source of input to wait for,
> perhaps?
Essentially, the issue is that OpenSSH's protocol dispatch engine calls a
handler for each SSH message received, and expects the handler to return so
it can go on waiting for the next message. PAM, on the other hand, wants
to call the application each time it wants to display a message or prompt
for input, and for the application to return with the result. So the
keyboard-interactive driver is stuck in the middle, trying to mediate
between two systems both of which want to be at the top of the call stack.
The way OpenSSH handles this is to run the pam_authenticate in a separate
process (or, with the unsupported "hask", in a separate thread), with the
two processes speaking a trivial protocol to each other. The PAM
conversation function sends messages and prompts up to the main sshd
process, and blocks until it gets a response; in the meantime, the sshd
returns to the message dispatcher, and sends incoming replies to the PAM
process.
Now, another approach would be to turn the PAM call stack "upside-down" by
having the conversation function return PAM_CONV_AGAIN, which _should_
result in the call to pam_authenticate returning PAM_INCOMPLETE. However,
that would be a fair bit of work, and who's to say if they'd take a patch?
-- Jeff