also needed for Tru64 SIA to work in privsep. WAS: Password expiry patch plans

Toni L. Harbaugh-Blackford harbaugh at
Tue Nov 12 20:24:03 EST 2002

On Sun, 10 Nov 2002, Michael Steffens wrote:

  > Darren Tucker wrote:
  > > [was Re: [Bug 423] Workaround for pw change in privsep mode (3.5.p1)]
  > > 
  > > Frank Cusack wrote:
  > > 
  > >>The PAM framework demands the type of exchange that
  > >>only keyboard-interactive offers.  The way the "password" authentication
  > >>method interacts with PAM is a kludge.
  > > 
  > > 
  > > After following this thread and thinking about this for a while, this is
  > > the current plan for my experimental expiry patch[0]:
  > > 
    <... text deleted ...>
  > As far as privsep is concerned I'm getting the feeling that
  > Frank is right that all calls of PAM functions should be
  > moved to the privileged monitor. Possibly this could also
  > solve the auditing corruptions reported for Solaris?
  > But in any way it requieres tunnneling PAM conversation between
  > monitor and unprivileged child, and this seems to be far from being
  > an easy task. Already tried to wrap my had around it only
  > for the keyboard interactive case...

This is exactly the problem with getting Tru64 SIA to work in privsep
mode.  SIA wants to 'talk' to the user directly over the tty that is passed
to the auth routines.  It insists on having this tty as it's own controlling
terminal, which is not the case in privsep mode since the unpriviledged child
has the tty.  The way around this would be to have two separate tty's, one
owned by the privledged process and passed to the SIA routines, and tunnel
the conversation between the SIA routines and the unprivileged child.
I don't know enough about tty programming and the internals of the
ssh code to do this.

If someone else figures it out though, it would be great if the code
could be used for Tru64 also.  :)


Toni Harbaugh-Blackford                     harbaugh at
AlphaServer System Administrator
SAIC/NCI Frederick Advanced Biomedical Computing Center

More information about the openssh-unix-dev mailing list