[Bug 2548] New: Make pam_set_data/pam_get_data work with OpenSSH

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Mar 5 02:52:12 AEDT 2016


https://bugzilla.mindrot.org/show_bug.cgi?id=2548

            Bug ID: 2548
           Summary: Make pam_set_data/pam_get_data work with OpenSSH
           Product: Portable OpenSSH
           Version: 7.2p1
          Hardware: Sparc
                OS: Solaris
            Status: NEW
          Severity: major
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: tomas.kuthan at oracle.com

The way PAM is implemented in OpenSSH makes pam_set_data unusable for
passing data between PAM stacks.

This is causing issues with multiple PAM modules:
- with pam_zfs_key it precludes mounting encrypted home dirs
- with pam_krb5 it precludes storing TGT in user cache and registering
  ticket renewal with ktkt_warnd

Current OpenSSH code flow with respect to PAM looks as follows.

(monitor)
   |
  fork --------------------------(privsep child)
   |                                    |
pam_start                               |
   |                                    |
  fork ----- (authentication 'thread')  |
   |                  |                 |
   |           pam_authenticate         |
   |                  |                 |
   |             pam_acct_mgmt          |
   |                  |                 |
   |             pam_chauthtok          |
   |                  |                 |
   |                  X                 |
   |                                    |
   |                                    X
   |
pam_setcred
   |
pam_open_session
   |
  fork ------ (authenticated child)
   |                 |
   |              setreuid(100)
   |                 |
   |                fork ------- (future shell)
   |                 |                  |
   |                 |              exec(bash)
   |                 |                  |
   |                 |                  X
   |                 |
   |                 X
   |
pam_close_session
   |
pam_setcred
   |
pam_end
   |
   X

The problem is, that pam_authenticate and pam_acct_mgmt is called in a
separate auxiliary process. Any data stored using pam_set_data and any 
other state information stored by those two functions are lost when the
auxiliary process exits (with exceptions like environment variables,
which are sent over between the processes).

(Opening as a new bug as oppossed to appending to
ancient-history-burdened #688.)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list