PAM merge from FreeBSD
Nicolas Williams
Nicolas.Williams at sun.com
Thu Feb 27 06:55:42 EST 2003
A few things to keep in mind:
- kbd-int should call pam_authenticate(), acct_mgmt(), chauthtok(), if
required, setcred(PAM_ESTABLISH_CRED) and open_session() ALL during
kbd-int so that modules in each of those PAM stacks can prompt the
user (pam_open_session(), for example, may prompt a user with an
informational message akin to the last login message)
- all userauth methods should call pam_acct_mgmt() and force kbd-int,
via partial userauth failure, if pam_acct_mgmt() returns
PAM_NEW_AUTHTOK_REQD (password expired)
- pam_setcred(PAM_ESTABLISH_CRED) and pam_open_session() should be
called by the end of userauth, regardless of which method(s) is(are)
tried by the client and completed successfully. (NOTE: there's no tty
at that point, nor any way to know if the client will want a tty
session)
- userauth methods other than kbd-int should have a null conversation
function (either NULL, literally, or a function that returns
PAM_CONV_ERR if any echo on/off prompts are issued)
- all of those PAM calls have to be done in a process which is an
ancestor to the user's actual session processes and those user
processes should not be created before calling PAM either
- preferably the process that calls pam_open_session() should be the
one to call pam_close_session(), on the same PAM handle on which
pam_open_session() was called
- no concurrence (threads) is needed for any of this, but because of
the way PAM conversations work
- the event loop must be nested (yes, this is workable, and 3.5p1
does nest the event loop in kbd-int userauth w/ PAM)
OR
- the PAM calls must be performed on alternative stacks (i.e., in a
different co-process)
OR
- the server must packet_disconnect() rather than allow kbd-int to
be abandoned or restarted
As Frank points out, multi-round-trip userauth methods can be
"abandoned" or "restarted" by the client; for kbd-int userauth this
means that multiple PAM conversations may be active, waiting for
responses, concurrently (but only the last one started can succeed -
the others must be either fail or be left waiting for responses that
will never come).
Cheers,
Nico
--
On Wednesday, February 26, 2003, Frank Cusack wrote:
> On Sun, Feb 02, 2003 at 01:48:52PM +0100, Dag-Erling Smorgrav wrote:
> > My code runs the PAM authentication in a separate thread or process to
> > avoid calling the main loop from the conversation function (which
> > won't work with privsep anyway). Modules like pam_krb5 where the
> > session management stage uses information stored by the authentication
> > stage only work when using threads, because threads can share a PAM
> > handle but processes can't.
>
> Here are my initial thoughts.
>
> The PAM stuff runs in the priv part. You communicate to the unpriv part
> via a socket. Why bother with threads? The thread is just an added
> complication. OK, it avoids having to grab control of the main loop
> from within the conversation function, but I just wonder if there's
> another way to do this. I mean, you're still stuck in the conv.
> function until the info response comes back, anyway. How do (will)
> you handle restarting the authentication (client sends USERAUTH_REQUEST
> instead of USERAUTH_INFO_RESPONSE)?
>
> In auth-pam.c:sshpam_thread_conv(), line 148, the two cases ECHO_OFF and
> ECHO_ON should be combined into a single case, as should the ERROR_MSG
> and TEXT_INFO cases; just as you do in sshpam_query().
>
> The code as a whole /is/ far cleaner than what exists currently, so that
> is a big plus.
>
> I dislike that kbdint is run via auth2_challenge() and all the refs
> to "challenge". It's not necessarily a challenge.
>
> /fc
More information about the openssh-unix-dev
mailing list