SSHD with PAM question
Darren Tucker
dtucker at zip.com.au
Tue Nov 2 07:51:28 EST 2004
Bob Bramwell wrote:
> Can anyone provide some insight into why the auth-pam module uses a fork
> in pthread_create (auth-pam.c)? This completely breaks the ability of
> one PAM function to pass data to others via the
> pam_set_data/pam_get_data functions.
It basically boils down to this: the PAM functions (pam_authenticate,
pam_acct_mgmt and so on) block until they complete, and interact with
the user via a "conversation function", ie a callback.
OpenSSH's sshd is built around a protocol dispatch loop (I suspect most
SSH implementations are). Since the PAM calls block, the dispatch loop
isn't running until the calls complete. This means the messages needed
to interact with the user aren't being processed. Snookered, hence the
fork.
If you enable USE_POSIX_THREADS, you're trusting that every module you
use is thread-safe. If they're not then it could blow up in interesting
and unusual ways, and may even make daemons fly out your nose. If that
happens, dont expect any reaction from us (except maybe "Cool! What
colour?" :-).
If you can, use 3.9p1, turn off ChallengeResponseAuthentication and turn
on PasswordAuthentication (this will use PAM with a blind conversation
function).
Also see http://bugzilla.mindrot.org/show_bug.cgi?id=688
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list