OpenSSH, PAM and kerberos
Dag-Erling Smørgrav
des at des.no
Tue Sep 3 15:31:13 UTC 2013
Lev Serebryakov <lev at FreeBSD.org> writes:
> Dag-Erling Smørgrav <des at des.no> writes:
> > We're not just talking about a bug in sshd. We're talking about a
> > fundamentally broken paradigm which affects *all* applications.
> How does it affect second-most-used-login application -- login(1)?
I don't think login(1) is anywhere near second place - but yes, login(1)
is affected too. Everything that uses PAM is affected by the need to
have a process wait around to call pam_close_session(). Many, but not
all, PAM applications are also affected by PAM's reliance on callbacks
for user interaction (this is a major problem for OpenSSH). Performing
authentication in the same process that accepts and parses input from
potentially hostile users is also a huge security issue, cf. privilege
separation.
> And, yes, what do you mean by "fundamentally broken paradigm" here?
> PAM itself?
PAM, NSS, everything. Using separate APIs with separate backends for
identification and authentication, shoehorning modern identity databases
into the 40-year-old getpwnam() API - everything.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list