[OpenAFS] trouble with pam_krb5

Christopher Allen Wing wingc@engin.umich.edu
Mon, 18 Jul 2005 16:11:16 -0400 (EDT)

Ha. My theory about 'improper UID' was incorrect, but I did find the 
underlying cause.

When 'keyboard-interactive' mode is in use, OpenSSH forks off a separate 
process to do PAM authentication. This process then dies, and thus the 
credentials cache (which is stored in memory) goes away.

When 'keyboard-interactive' mode is disabled (and 'password' mode is used 
instead), the PAM authentication is done in the same process, so the 
credentials cache isn't destroyed.

There are some #ifdefs in the openssh source which control whether 
pthreads are used to call PAM, or a separate process. When pthreads are 
used, a new thread is created, PAM calls are made in this thread, and then 
the thread terminates. However, the credentials then stick around properly 
(since the thread shares memory with the rest of sshd)

I was able to get OpenSSH to work properly with 
'ChallengeResponseAuthentication yes' when I rebuilt the OpenSSH RPM from 
RHEL4, adding:

 	LDFLAGS="$LDFLAGS -lpthread"

to the RPM .spec file as appropriate.

However, pthreads appear to be disabled by default in OpenSSH (there is 
no --configure option to enable them). So it would be wise to find out why 
they decided not to expose this functionality; it's possible that it might 
be broken in some other way.

Anyway, I think the short summary is:

 	'keyboard-interactive' authentication in OpenSSH breaks the 
semantics of PAM, and thus the pam_krb5 module cannot work properly when 
"ChallengeResponseAuthentication" is enabled.

 	Red Hat's supported version of OpenSSH disables 
ChallengeResponseAuthentication, possibly for this reason.

 	It's possible to get it to work, if you rebuild sshd with pthreads 
support, but this may not be supported or well tested by OpenSSH, and 
certainly unsupported by Red Hat.

 	The best workaround for the moment seems to be ensuring that 
ChallengeResponseAuthentication is disabled.


On Mon, 18 Jul 2005, Russ Allbery wrote:

> This breaks password expiration, or any other PAM dialogs that require
> anything more complex than a simple password prompt.