[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT
Kerberos
Dean Anderson
dean@av8.com
Mon, 26 Jan 2004 17:17:46 -0500 (EST)
On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
> Worse, it would not solve the problem. The trouble here is not that AFS
> tokens are stored in a kernel data structure instead of a file. It's that
> they are indexed by a value which must be set on login, inherited from each
> process by its children, and must not be changeable by the user (to prevent
> token stealing). OpenSSH loses not because you need special code to set
> tokens, and not even because you need special code to generate a new PAG --
> those things can be done by a PAM module. OpenSSH loses because the PAM
> session module gets called outside the inheritance chain of the user's
> shell, which means it can't set a PAG or anything else that is inherited
> across a fork (e.g. groups, environment variables, resource limits, etc etc
> etc).
Right. And there is an easy solution: Turn off Privsep. A process that
creates new user sessions needs root privileges, and those privileges
cannot be given away prematurely to "improve security". Privsep is just a
stupid idea for some programs. Probably for most programs...
Privsep is not a solution of security problems caused by bad programs. It
is just throwing complication at a problem in the hopes that by making it
more complicated, that security is improved.
While privsep can be turned off, and the AFS problems are solved when
privsep is turned off, it seems that many people don't know this. I think
that it would help if a new distribution of openssh, etc were created
without privsep. As I said, I think this privsep business is a bad idea,
and I would just remove it from the code.
--Dean