[Bug 2548] New: Make pam_set_data/pam_get_data work with OpenSSH
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Mar 5 02:52:12 AEDT 2016
https://bugzilla.mindrot.org/show_bug.cgi?id=2548
Bug ID: 2548
Summary: Make pam_set_data/pam_get_data work with OpenSSH
Product: Portable OpenSSH
Version: 7.2p1
Hardware: Sparc
OS: Solaris
Status: NEW
Severity: major
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: tomas.kuthan at oracle.com
The way PAM is implemented in OpenSSH makes pam_set_data unusable for
passing data between PAM stacks.
This is causing issues with multiple PAM modules:
- with pam_zfs_key it precludes mounting encrypted home dirs
- with pam_krb5 it precludes storing TGT in user cache and registering
ticket renewal with ktkt_warnd
Current OpenSSH code flow with respect to PAM looks as follows.
(monitor)
|
fork --------------------------(privsep child)
| |
pam_start |
| |
fork ----- (authentication 'thread') |
| | |
| pam_authenticate |
| | |
| pam_acct_mgmt |
| | |
| pam_chauthtok |
| | |
| X |
| |
| X
|
pam_setcred
|
pam_open_session
|
fork ------ (authenticated child)
| |
| setreuid(100)
| |
| fork ------- (future shell)
| | |
| | exec(bash)
| | |
| | X
| |
| X
|
pam_close_session
|
pam_setcred
|
pam_end
|
X
The problem is, that pam_authenticate and pam_acct_mgmt is called in a
separate auxiliary process. Any data stored using pam_set_data and any
other state information stored by those two functions are lost when the
auxiliary process exits (with exceptions like environment variables,
which are sent over between the processes).
(Opening as a new bug as oppossed to appending to
ancient-history-burdened #688.)
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list