Patch: Solved: Re: [OpenAFS-devel] PAM / openssh 3.7.1p2
Dean Anderson
dean@av8.com
Thu, 9 Oct 2003 22:39:11 -0400 (EDT)
I have another gripe about openssh 3.7.1p2: Password authentication
doesn't try pam. While I appreciate the additional capabilities of
keyboard-interactive/pam, which can support things like cypto cards and
such, simple password authentication should still attempt PAM
authentication. Obviously, one is more limited about what can be handled
this way, but many pam modules work with passwords, and many ssh clients
don't support keyboard-interactive/pam.
Is anyone actively working with the openssh group?
--Dean
On Mon, 6 Oct 2003, Dean Anderson wrote:
> Ok, some joy was found by compiling the auth-pam.o with
> -DUSE_POSIX_THREADS and linking with -lpthread. Looks like something in
> the sshd "pthread emulation" is breaking pam_afs...
>
> The pthread "emulation" is, well, interesting. It creates another process
> and a couple sockets to communicate between them. It is unclear what
> benefit this has. Pam_afs forks to enable automatic memory leak cleanup.
> However, pthreads (if you use real pthreads), don't have this property.
>
> It is unclear to me why the additional fork causes
> ka_UserAutheticateGeneral not to properly set the PAG, nor why it would
> get another pag. (could sshd have inherited this???)
>
> I'm truly mystified as to why this works this way... I would really like
> to hear from anyone who can explain this.
>
> --Dean
>
> On Mon, 6 Oct 2003, Dean Anderson wrote:
>
> > Never mind. Somehow, it was getting the PAG of a previous login. This is
> > probably a more serious bug (one shouldn't be able to get PAG's by UID
> > association, right?), but not directly related to the openssh/pam_afs bug.
> >
> > So, anyone have any ideas on why the pam_afs module doesn't work with
> > openssh?
> >
> > --Dean
> >
>
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>