OpenSSH, PAM and kerberos
Dag-Erling Smørgrav
des at des.no
Tue Sep 3 07:51:35 UTC 2013
Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> If in this scenario on step 4 insted fork do pthread_create we don't
> lost stored credentials and (I think) have full-synchronized thread
> (new thred only work by request from parent and only for short time).
It's not quite that simple. When a service module calls a conversation
function, the event loop resumes until it receives an answer from the
client. This is why PAM needs to run in a separate thread or process.
OpenSSH was not designed to be multi-threaded, and we can't be sure
there won't be conflicts.
Another problem is that libpam loads shared objects (the modules) when
it runs, which may result in conflicts as well - espcially with
pam_ssh(8).
The proper solution would be an identification and authentication daemon
with a well-designed RPC interface and mechanisms for transferring
environment variables, descriptors and credentials from the daemon to
the application (in this case, sshd).
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list