[OpenAFS-devel] OPenAFS and OpenSSH-3.8
Dean Anderson
dean@av8.com
Mon, 1 Mar 2004 15:54:58 -0500 (EST)
On Mon, 1 Mar 2004, Jim Rees wrote:
> Theo is dead set against using dlopen in "critical" software like sshd.
> When we added smartcard support to OpenSSH I had to remove the dynamic
> reader library loading, and bind statically against one reader library
> (currently Todos).
I am not against this. We do it all the time in "critical code". I will
include this in my forked version of openssh.
> I think the long term solution is to get linux and the BSDs to agree on a
> common setpag syscall, and have it available even if afs is not loaded.
> Then sshd can call setpag without worrying about SIGSYS. A helper process
> can be used to acquire tokens.
This will be hard, given what Linus has said about PAG's in general.
Unless we can make PAGs a security context suitable for Linus, it will not
get into Linux.
I see PAM as the logical solution to this, though. There is no problem
with getting SIGSYS for user logins: Something is broken, and needs to be
fixed. Root is the rescuer, and the PAM afs module can exclude root from
trying call setpag. Thus, root can get in to fix the problems with afs.
Other dloaded methods will similarly have to exclude root (or some user)
or deny remote login if something breaks, if the want remote repair.
This isn't the worst thing not to have. There are many reasons that
remote access could be broken. Crashes that remove the password file come
to mind. Sometimes, console access is necessary.
--Dean