[OpenAFS] trouble with pam_krb5

Carsten Schulz-Key openafs@oo-design.org
Tue, 19 Jul 2005 12:10:34 +0200 

--==_Exmh_1121767834_2318P
Content-Type: text/plain; charset=us-ascii

Christopher Allen Wing wrote:
>When 'keyboard-interactive' mode is in use, OpenSSH forks off a separate 
>process to do PAM authentication. This process then dies, and thus the 
>credentials cache (which is stored in memory) goes away.
>
>When 'keyboard-interactive' mode is disabled (and 'password' mode is used 
>instead), the PAM authentication is done in the same process, so the 
>credentials cache isn't destroyed.

The credentials are passed between the different stages of ssh authentication 
via pam_putenv() and pam_getenv() calls. If they occur in separate processes 
Bad Things happen. With Solaris this usually means core dumps.

>There are some #ifdefs in the openssh source which control whether 
>pthreads are used to call PAM, or a separate process. When pthreads are 
>used, a new thread is created, PAM calls are made in this thread, and then 
>the thread terminates. However, the credentials then stick around properly 
>(since the thread shares memory with the rest of sshd)

This is a side effect that happens to work ;-)

[...]
>However, pthreads appear to be disabled by default in OpenSSH (there is 
>no --configure option to enable them). So it would be wise to find out why 
>they decided not to expose this functionality; it's possible that it might 
>be broken in some other way.

There is a good reason for disabling pthreads in the source code of OpenSSH and
making it difficult to enable: Every single PAM module on the PAM stack has to
be multi-thread safe! So you better know your PAM modules well...

The whole PAM stuff (in OpenSSH) is broken!


Carsten







--==_Exmh_1121767834_2318P
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.2i

iQEVAwUBQtzRmOVLLWKtJb4RAQHfDggApWM1q43vwYM2UexRhzMsnGVdnCulCsVF
ZaMl7XYZ62+lDMBvnq+vV95sRcImQJocuUkrOFoC88F1Z1qRAxdTH4cpe6eE0O6Y
J23aJVCm9odCe6PaxJZuNJahY7o8DwguyRQZeCVrR6mFAa+FcF/A0oFYX1PCiOJg
f0CGpVtt3FTfsm6uOexufji6Eun23DjLUzU+ED9z+wJB1dlrok3JxF7aBG7qP1mh
ZxARbcbC/LT6/0H7a8FRnc+iPAxKUSrsCVCzQn6o1z8rH2DzTEzqDGqES6Lp8fnI
ffgkZGDaj5LoiAg5s+xoZelRm5+SnfXxeA9VoI82YixGLbIwTtWH4A==
=hEx8
-----END PGP MESSAGE-----

--==_Exmh_1121767834_2318P--