PAM kbd-int with privsep

Nalin Dahyabhai nalin at redhat.com
Wed Jun 26 02:39:57 EST 2002


On Tue, Jun 25, 2002 at 11:52:55AM +1000, Damien Miller wrote:
> The following is a patch (based on FreeBSD code) which gets kbd-int
> working with privsep. It moves the kbd-int PAM conversation to a child
> process and communicates with it over a socket.
> 
> The patch has a limitation: it does not handle multiple prompts - I have
> no idea how common these are in real-life. Furthermore it is not well
> tested at all (despite my many requests on openssh-unix-dev@).

It looks like this limitation exists because the authentication via PAM
is actually performed in a child of the privileged process, and the PAM
handle is lost after successful authentication when this child exits.

Once the PAM-encapsulating child exits, you don't have a context to
perform account or session management with, so the ability to perform
PAM session management is just lost.  Because PAM data items can point
to dynamically-allocated memory, I don't see a clean way to transfer
the context data to the parent.

It might be fixable by modifying it to have the parent do the PAM work,
but it'd require an approach similar the existing kbdint code, and I
don't know how it would work in the context of a monitoring setup.

It might also be resolved (at least for Linux-PAM 0.65 and later and
derivatives, I haven't a clue about other implementations) by using
the PAM_CONV_AGAIN/PAM_INCOMPLETE framework and letting the privileged
process drive the conversation, but the framework is not well supported
by most of the modules I've spot-checked.  (That's fixable, though.)

Nalin



More information about the openssh-unix-dev mailing list