[OpenAFS] trouble with pam_krb5
Tue, 19 Jul 2005 12:10:34 +0200
Content-Type: text/plain; charset=us-ascii
Christopher Allen Wing wrote:
>When 'keyboard-interactive' mode is in use, OpenSSH forks off a separate
>process to do PAM authentication. This process then dies, and thus the
>credentials cache (which is stored in memory) goes away.
>When 'keyboard-interactive' mode is disabled (and 'password' mode is used
>instead), the PAM authentication is done in the same process, so the
>credentials cache isn't destroyed.
The credentials are passed between the different stages of ssh authentication
via pam_putenv() and pam_getenv() calls. If they occur in separate processes
Bad Things happen. With Solaris this usually means core dumps.
>There are some #ifdefs in the openssh source which control whether
>pthreads are used to call PAM, or a separate process. When pthreads are
>used, a new thread is created, PAM calls are made in this thread, and then
>the thread terminates. However, the credentials then stick around properly
>(since the thread shares memory with the rest of sshd)
This is a side effect that happens to work ;-)
>However, pthreads appear to be disabled by default in OpenSSH (there is
>no --configure option to enable them). So it would be wise to find out why
>they decided not to expose this functionality; it's possible that it might
>be broken in some other way.
There is a good reason for disabling pthreads in the source code of OpenSSH and
making it difficult to enable: Every single PAM module on the PAM stack has to
be multi-thread safe! So you better know your PAM modules well...
The whole PAM stuff (in OpenSSH) is broken!
-----BEGIN PGP MESSAGE-----
-----END PGP MESSAGE-----