Fix for USE_POSIX_THREADS in auth-pam.c

Steven Michaud smichaud at pobox.com
Fri Oct 31 08:56:00 EST 2003


> What is to stop us from exporting state set by pam_set_data from the
> child to the parent?

Well, perhaps you could ... but I think the code would be _very_
fragile.

I don't know that you can call pam_set_data() (and pam_get_data())
outside any PAM module, or that you can call one from inside a PAM
module and the other from a different PAM module (or from outside any
PAM module).  But let's assume that you can.

Pam_set_data() has a module_data_name parameter that's supposed to be
used to store the data (a pointer to void) in a unique "location".  If
you know the module_data_name (and the data is present in PAM's
"state"), you can use pam_get_data() to get it back.  Problem is, how
do you know which data a given PAM module stored, and what name it was
stored under?  Of course you could look at the source code for some
version of pam_krb5 (say) and see for yourself.  But the name that's
used to store the data isn't part of any protocol, nor should it be --
the authors of PAM modules don't (as far as I know) expect
pam_get_data() to be called from "outside".  So not only would you
have to look at every possible (or important) PAM module to see what
kind of data it used pam_set_data() to store, but you'd also have to
look at every _version_ of every PAM module to see what names might
have been used to store it under.

I suppose there are better ways to torture yourself ... but it's hard
to think of one off-hand :-)

On Thu, 31 Oct 2003, Damien Miller wrote:

> On Fri, 2003-10-31 at 03:31, Steven Michaud wrote:
>
> > Pam_krb5's pam_sm_setcred() function recovers and exports to disk the
> > Kerberos credentials that were created in pam_sm_authenticate() (and
> > stored to PAM's internal state by a call to pam_set_data()), then sets
> > the KRB5CCNAME variable (in the PAM environment) to point to the cache
> > file.  You can trigger this by a call to do_pam_setcred() in OpenSSH.
> > But it must be done while still in the child process where PAM
> > authentication took place -- the internal state where the Kerberos
> > credentials were stored (by pam_set_data()) is only present in the
> > child, not in the parent.
>
> What is to stop us from exporting state set by pam_set_data from the
> child to the parent?
>
> -d
>
>
>
>




More information about the openssh-unix-dev mailing list