OpenSSH, PAM and kerberos

[Slawa Olhovchenkov]

On Mon, Sep 02, 2013 at 07:36:57PM +0200, Dag-Erling Sm??rgrav wrote:

> Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> > Hmmm, now I try to compile sshd with UNSUPPORTED_POSIX_THREADS_HACK and
> > it works (/tmp/krb5cc_NNNN created, kerberosied login to other host
> > working w/o entering password). 
> 
> So they didn't break the thread version?  You shouldn't use it, though,
> as the rest of OpenSSH is not thread-safe.  The threads are only
> partially synchronized, and service modules may for instance call
> getpwent() and thereby clobber global state which OpenSSH relies on.

As I understand interaction between sshd and pam subsystem occur next:

1. sshd need pam auth
2. call sshpam_init_ctx
3. sshpam_init_ctx do sshpam_init
4. sshpam_init_ctx for non-blocking processing do
   pthread_create(sshpam_thread) (emulated by fork).
5. in child process sshpam_thread do pam_authenticate and store cred.
6. child process terminated by sshpam_free_ctx
7. sshd do pam_setcred for context from [2] (and lost cred in child
   process).
8. sshd fork less-priveleged child
9. child terminated
10. pam session closed.


If in this scenario on step 4 insted fork do pthread_create we don't
lost stored credentials and (I think) have full-synchronized thread
(new thred only work by request from parent and only for short time).

W/o thread we need constanly run 3 sshd: unpriveleged, priveleged
worked witch pam and master process.