Change request For OpenSSH 3.8p1

[Damien Miller]

On Fri, 27 Feb 2004, Antoine Verheijen wrote:

> NOTE: This patch requires a previously sent patch fixing a small problem in
>       OpenSSH PAM support when POSIX threads are used.
> 
> This is a small patch to the OpenSSH portable configuration process that
> I'd like to have considered for inclusion in the distributed version. It
> will set the use of (native) POSIX threads in Solaris if the header and
> library files are present on the system. At present, this will only affect
> PAM support on that OS.

No - we will not be making threads easy to use.

Right now they are an option for people who a) really know what they are 
doing and b) need to fix the AFS PAG issue.

If we make them easy to use, then idiots will turn them on thinking "cool, 
threads are supposed to be, like, fast and stuff". I consider threads to 
be evil complexity that should be used only as a last resort.

As soon as we have a better fix for this particular problem, I think we 
should be removing thread support altogether.

Possible fixes so far are:

1. Inverting the monitor/pam-child relationship (clever idea from Darren
Tucker's, search the list archive for details). Problems with rekeying
need to be solved.

2. Resurrecting the old PAM password hack (ugly, but less so than 
threads). Patches welcome.

3. Use of a separate setpag helper.

4. Obtaining a PAG properly as part of gssapi-with-mic (needs extra code 
for MIT Kerberos, I believe)

5. Utilising the async conversation function extensions that some PAM libs 
(Linux-PAM, at least) provide. Obviously this would only work with PAM 
libs that support these extensions, but hopefully that would provide some 
incentive for PAM implementors to renovate this horrid API. Patches 
welcome.

-d