[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos

Darren Tucker dtucker at zip.com.au
Tue Jan 27 14:07:10 EST 2004

Jeffrey Hutzelman wrote:
> On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <dean at av8.com> 
> wrote:
>> On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
>>> Worse, it would not solve the problem.  The trouble here is not that AFS
>>> tokens are stored in a kernel data structure instead of a file.  It's
>>> that  they are indexed by a value which must be set on login, inherited
>>> from each  process by its children, and must not be changeable by the
>>> user (to prevent  token stealing).  OpenSSH loses not because you need
>>> special code to set  tokens, and not even because you need special code
>>> to generate a new PAG --  those things can be done by a PAM module.
>>> OpenSSH loses because the PAM  session module gets called outside the
>>> inheritance chain of the user's  shell, which means it can't set a PAG
>>> or anything else that is inherited  across a fork (e.g. groups,
>>> environment variables, resource limits, etc etc  etc).
>> Right. And there is an easy solution: Turn off Privsep.
> Sadly, this doesn't make any difference.  OpenSSH 3.7.1 and later run 
> PAM session modules in a subprocess unrelated to the eventual user 
> shell, regardless of whether privsep is enabled.  AFAIK, in earlier 
> versions, it works fine even with privsep, because while such things may 
> be run in a subprocess, they are run in a subprocess that ends up being 
> an ancestor of the user shell.

You can try:

./configure --with-cflags=-DUSE_POSIX_THREADS --with-ldflags=-lpthread

(or whichever library contains threads on your platform) and the PAM 
authentication code will be run as a thread.


Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list