[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
dtucker at zip.com.au
Tue Jan 27 14:07:10 EST 2004
Jeffrey Hutzelman wrote:
> On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <dean at av8.com>
>> On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
>>> Worse, it would not solve the problem. The trouble here is not that AFS
>>> tokens are stored in a kernel data structure instead of a file. It's
>>> that they are indexed by a value which must be set on login, inherited
>>> from each process by its children, and must not be changeable by the
>>> user (to prevent token stealing). OpenSSH loses not because you need
>>> special code to set tokens, and not even because you need special code
>>> to generate a new PAG -- those things can be done by a PAM module.
>>> OpenSSH loses because the PAM session module gets called outside the
>>> inheritance chain of the user's shell, which means it can't set a PAG
>>> or anything else that is inherited across a fork (e.g. groups,
>>> environment variables, resource limits, etc etc etc).
>> Right. And there is an easy solution: Turn off Privsep.
> Sadly, this doesn't make any difference. OpenSSH 3.7.1 and later run
> PAM session modules in a subprocess unrelated to the eventual user
> shell, regardless of whether privsep is enabled. AFAIK, in earlier
> versions, it works fine even with privsep, because while such things may
> be run in a subprocess, they are run in a subprocess that ends up being
> an ancestor of the user shell.
You can try:
./configure --with-cflags=-DUSE_POSIX_THREADS --with-ldflags=-lpthread
(or whichever library contains threads on your platform) and the PAM
authentication code will be run as a thread.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev