[OpenAFS] home on afs woes

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 13 Jan 2006 17:06:10 -0500 

On Thursday, January 12, 2006 06:41:21 PM -0800 Russ Allbery 
<rra@stanford.edu> wrote:

> Jeffrey Hutzelman <jhutz@cmu.edu> writes:
>
>> However, they do it that way not as part of some misguided attempt at
>> "security", but because of the constraints imposed by the way their SSH
>> protocol parser interacts with keyboard-interactive.  Fixing it would
>> require significant work, not to mention actually getting the fix
>> accepted.
>
> Could you give me more details on why that would be the case?  It doesn't
> intuitively make sense to me why proxying the PAM interaction through yet
> another level of indirection would help.  Some kind of a deadlock
> situation where you don't know which source of input to wait for,
> perhaps?

Essentially, the issue is that OpenSSH's protocol dispatch engine calls a 
handler for each SSH message received, and expects the handler to return so 
it can go on waiting for the next message.  PAM, on the other hand, wants 
to call the application each time it wants to display a message or prompt 
for input, and for the application to return with the result.  So the 
keyboard-interactive driver is stuck in the middle, trying to mediate 
between two systems both of which want to be at the top of the call stack.

The way OpenSSH handles this is to run the pam_authenticate in a separate 
process (or, with the unsupported "hask", in a separate thread), with the 
two processes speaking a trivial protocol to each other.  The PAM 
conversation function sends messages and prompts up to the main sshd 
process, and blocks until it gets a response; in the meantime, the sshd 
returns to the message dispatcher, and sends incoming replies to the PAM 
process.

Now, another approach would be to turn the PAM call stack "upside-down" by 
having the conversation function return PAM_CONV_AGAIN, which _should_ 
result in the call to pam_authenticate returning PAM_INCOMPLETE.  However, 
that would be a fair bit of work, and who's to say if they'd take a patch?

-- Jeff