SSHD with PAM question

Bob Bramwell bob at jasomi.com
Tue Nov 2 08:43:31 EST 2004 

As long as it is my *nose* the daemons come out of we can all sleep easy :-)

Thanks for the explanation: it was very useful.  I will try to upgrade to 3.9p1 
RSN, but that's not a possibility this week.  So, just in case anyone else want 
to try this sneezing daemon act, the cleanest way I've found to enable the 
pthread version of auth-pam  to configure with:
	--with-pam --with-libs="-lpthread" --with-cflags="-DUSE_POSIX_THREADS"
It seems to work OK in the situation in which I need it.

Cheers,
	Bob.

Darren Tucker wrote:
> Bob Bramwell wrote:
> 
>> Can anyone provide some insight into why the auth-pam module uses a 
>> fork in pthread_create (auth-pam.c)?  This completely breaks the 
>> ability of one PAM function to pass data to others via the 
>> pam_set_data/pam_get_data functions.
> 
> 
> It basically boils down to this: the PAM functions (pam_authenticate, 
> pam_acct_mgmt and so on) block until they complete, and interact with 
> the user via a "conversation function", ie a callback.
> 
> OpenSSH's sshd is built around a protocol dispatch loop (I suspect most 
> SSH implementations are).  Since the PAM calls block, the dispatch loop 
> isn't running until the calls complete.  This means the messages needed 
> to interact with the user aren't being processed.  Snookered, hence the 
> fork.
> 
> If you enable USE_POSIX_THREADS, you're trusting that every module you 
> use is thread-safe.  If they're not then it could blow up in interesting 
> and unusual ways, and may even make daemons fly out your nose.  If that 
> happens, dont expect any reaction from us (except maybe "Cool!  What 
> colour?" :-).
> 
> If you can, use 3.9p1, turn off ChallengeResponseAuthentication and turn 
> on PasswordAuthentication (this will use PAM with a blind conversation 
> function).
> 
> Also see http://bugzilla.mindrot.org/show_bug.cgi?id=688
> 


-- 
Bob Bramwell            Jasomi Networks (Canada) | This space
Ph: 403 269 2938 x155   #310 602 11th Ave SW     | intentionally
FX: 403 269 2993        Calgary, AB, T2R 1J8     | left blank.

More information about the openssh-unix-dev mailing list