Fix for USE_POSIX_THREADS in auth-pam.c
Steven Michaud
smichaud at pobox.com
Fri Oct 31 08:56:00 EST 2003
> What is to stop us from exporting state set by pam_set_data from the
> child to the parent?
Well, perhaps you could ... but I think the code would be _very_
fragile.
I don't know that you can call pam_set_data() (and pam_get_data())
outside any PAM module, or that you can call one from inside a PAM
module and the other from a different PAM module (or from outside any
PAM module). But let's assume that you can.
Pam_set_data() has a module_data_name parameter that's supposed to be
used to store the data (a pointer to void) in a unique "location". If
you know the module_data_name (and the data is present in PAM's
"state"), you can use pam_get_data() to get it back. Problem is, how
do you know which data a given PAM module stored, and what name it was
stored under? Of course you could look at the source code for some
version of pam_krb5 (say) and see for yourself. But the name that's
used to store the data isn't part of any protocol, nor should it be --
the authors of PAM modules don't (as far as I know) expect
pam_get_data() to be called from "outside". So not only would you
have to look at every possible (or important) PAM module to see what
kind of data it used pam_set_data() to store, but you'd also have to
look at every _version_ of every PAM module to see what names might
have been used to store it under.
I suppose there are better ways to torture yourself ... but it's hard
to think of one off-hand :-)
On Thu, 31 Oct 2003, Damien Miller wrote:
> On Fri, 2003-10-31 at 03:31, Steven Michaud wrote:
>
> > Pam_krb5's pam_sm_setcred() function recovers and exports to disk the
> > Kerberos credentials that were created in pam_sm_authenticate() (and
> > stored to PAM's internal state by a call to pam_set_data()), then sets
> > the KRB5CCNAME variable (in the PAM environment) to point to the cache
> > file. You can trigger this by a call to do_pam_setcred() in OpenSSH.
> > But it must be done while still in the child process where PAM
> > authentication took place -- the internal state where the Kerberos
> > credentials were stored (by pam_set_data()) is only present in the
> > child, not in the parent.
>
> What is to stop us from exporting state set by pam_set_data from the
> child to the parent?
>
> -d
>
>
>
>
More information about the openssh-unix-dev
mailing list