[OpenAFS] trouble with pam_krb5

Carsten Schulz-Key openafs@oo-design.org
Tue, 19 Jul 2005 12:10:34 +0200

Content-Type: text/plain; charset=us-ascii

Christopher Allen Wing wrote:
>When 'keyboard-interactive' mode is in use, OpenSSH forks off a separate 
>process to do PAM authentication. This process then dies, and thus the 
>credentials cache (which is stored in memory) goes away.
>When 'keyboard-interactive' mode is disabled (and 'password' mode is used 
>instead), the PAM authentication is done in the same process, so the 
>credentials cache isn't destroyed.

The credentials are passed between the different stages of ssh authentication 
via pam_putenv() and pam_getenv() calls. If they occur in separate processes 
Bad Things happen. With Solaris this usually means core dumps.

>There are some #ifdefs in the openssh source which control whether 
>pthreads are used to call PAM, or a separate process. When pthreads are 
>used, a new thread is created, PAM calls are made in this thread, and then 
>the thread terminates. However, the credentials then stick around properly 
>(since the thread shares memory with the rest of sshd)

This is a side effect that happens to work ;-)

>However, pthreads appear to be disabled by default in OpenSSH (there is 
>no --configure option to enable them). So it would be wise to find out why 
>they decided not to expose this functionality; it's possible that it might 
>be broken in some other way.

There is a good reason for disabling pthreads in the source code of OpenSSH and
making it difficult to enable: Every single PAM module on the PAM stack has to
be multi-thread safe! So you better know your PAM modules well...

The whole PAM stuff (in OpenSSH) is broken!


Content-Type: application/pgp-signature

Version: 2.6.2i