[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos

Darren Tucker dtucker at zip.com.au
Mon Feb 2 10:11:01 EST 2004 

(Reply-To set to openssh-unix-dev only)

Dean Anderson wrote:

> On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
>>Sadly, this doesn't make any difference.  OpenSSH 3.7.1 and later run PAM 
>>session modules in a subprocess unrelated to the eventual user shell, 

That is not correct.  Even with privsep, the session modules are run in 
the shell's immediate parent (as root).  (This is trivial to test: add a 
debug call  at the start of do_pam_session() to output its pid, then 
compare it with the ppid of the shell.)

It is true that pam_authenticate() is called in a process that's not a 
direct ancestor of the shell, and because of that, sshd now (ie 
post-3.7.1p2) goes to some length to export the state set by that 
process.  This is true with or without privsep.

> Nope. OpenSSH 3.7.1p1 works for me with privsep turned off. When privsep
> is turned off, there is no subprocess.

There are other differences in behaviour which may be the cause of what 
you're seeing, eg pam_setcred will be called as non-root when privsep is 
off.  See:
http://bugzilla.mindrot.org/show_bug.cgi?id=789

 > 3.7.1p1 has some additional
> breakage, in that if your ssh client doesn't support 'interactive/pam' as
> a method, then it won't send anything to pam. This means that only openssh
> clients work with pam on openssh servers. E.g., putty won't work.

That is not correct either.  For SSHv2, PAM on 3.7p1 and up uses 
keyboard-interactive (which is an internet-draft, the same as the rest 
of SSHv2, see [1]) which is supported by most clients, including PuTTY.

For SSHv1, PAM uses TIS challenge-response authentication, which is also 
supported by PuTTY, but is disabled by default.  To enable it, click the 
little checkbox at Connection -> SSH -> Auth -> Attempt TIS or 
Cryptocard authentication (SSH1).

If, however, you do not disable PasswordAuthentication as per the UsePAM 
man page entry then it's possible to authenticate without going through 
PAM.  To fix this, set "PasswordAuthentication no" in sshd_config like 
the man page says.

[1] 
http://www.ietf.org/internet-drafts/draft-ietf-secsh-auth-kbdinteract-05.txt

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list