OpenSSH, PAM and kerberos
Slawa Olhovchenkov
slw at zxy.spb.ru
Tue Sep 3 08:30:57 UTC 2013
On Tue, Sep 03, 2013 at 09:51:35AM +0200, Dag-Erling Sm??rgrav wrote:
> Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> > If in this scenario on step 4 insted fork do pthread_create we don't
> > lost stored credentials and (I think) have full-synchronized thread
> > (new thred only work by request from parent and only for short time).
>
> It's not quite that simple. When a service module calls a conversation
> function, the event loop resumes until it receives an answer from the
> client. This is why PAM needs to run in a separate thread or process.
> OpenSSH was not designed to be multi-threaded, and we can't be sure
> there won't be conflicts.
We can be sure if separate thread don't access same data as other
sshd, or while other sshd wait answer from separate thread. I don't
see parallel execution in separate thread.
> Another problem is that libpam loads shared objects (the modules) when
> it runs, which may result in conflicts as well - espcially with
> pam_ssh(8).
Can you explain this? How conflicts and what scenario use pam_ssh in sshd?
> The proper solution would be an identification and authentication daemon
> with a well-designed RPC interface and mechanisms for transferring
> environment variables, descriptors and credentials from the daemon to
> the application (in this case, sshd).
I think this is impossible, because credentials for pam_krb5 is simple
pointer to internal blob's with unknown size, structure and links with
other elements.
More information about the freebsd-security
mailing list