PAM vulnerability in portable OpenSSH

Damien Miller djm at mindrot.org
Wed Sep 24 08:11:41 EST 2003


> Interesting quote:
> 
> "Due to complexity, inconsistencies in the specification and differences
> between vendors' PAM implementations we recommend that PAM be left disabled
> in sshd_config unless there is a need for its use. Sites only using public
> key or simple password authentication usually have little need to enable PAM
> support."
> 
> Slander? Don't think so.

It is only slander if it is false. Let's look at the charges:

1. Complexity - it is self-evident that PAM adds complexity to 
login-like program's implementation. This is before one has to 
take into account its horribly broken, non-interruptible 
conversation function.

2. Inconsistencies in the specification - these have been documented 
by a PAM implementor at http://www.openpam.org/errata.html If you like 
reading vague specs, try reading the original PAM DCE RFC. This 
vagueness contributed to one of the vulnerabilities mentioned. 

3. Differences between vendors' implementations. Solaris PAM passes 
message arguments differently to LinuxPAM and OpenPAM. Some PAM 
implementations fatally break unless you set a PAM_TTY. There are 
differences in how implementations respond to credential 
(re-)initialisation and operation across different processes.

So I think that the recommendation to disable PAM unless you need it is 
a conservative one. For sites that just use password or OpenSSH's native
authentication methods, the only thing that PAM really buys you is a 
standard log message.

-d




More information about the openssh-unix-dev mailing list