SSHD with PAM question

Darren Tucker dtucker at zip.com.au
Tue Nov 2 07:51:28 EST 2004


Bob Bramwell wrote:
> Can anyone provide some insight into why the auth-pam module uses a fork 
> in pthread_create (auth-pam.c)?  This completely breaks the ability of 
> one PAM function to pass data to others via the 
> pam_set_data/pam_get_data functions.

It basically boils down to this: the PAM functions (pam_authenticate, 
pam_acct_mgmt and so on) block until they complete, and interact with 
the user via a "conversation function", ie a callback.

OpenSSH's sshd is built around a protocol dispatch loop (I suspect most 
SSH implementations are).  Since the PAM calls block, the dispatch loop 
isn't running until the calls complete.  This means the messages needed 
to interact with the user aren't being processed.  Snookered, hence the 
fork.

If you enable USE_POSIX_THREADS, you're trusting that every module you 
use is thread-safe.  If they're not then it could blow up in interesting 
and unusual ways, and may even make daemons fly out your nose.  If that 
happens, dont expect any reaction from us (except maybe "Cool!  What 
colour?" :-).

If you can, use 3.9p1, turn off ChallengeResponseAuthentication and turn 
on PasswordAuthentication (this will use PAM with a blind conversation 
function).

Also see http://bugzilla.mindrot.org/show_bug.cgi?id=688

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list