openssh-3.7p1+ and PAM on OS X
Darren Tucker
dtucker at zip.com.au
Fri Nov 12 11:33:26 EST 2004
Nick Lane-Smith wrote:
> Bug 688 is causing me a massive headache on OS X.
>
> The fact that each PAM authentication takes place in a separate process
> means the PAM context data isn't shared and therefore prevents the
> passing of data between modules. (pam_set_data, and pam_get_data)
>
> Compiling with pthreads isn't really an option because of the added
> security risk and the fact that some of the PAM modules are not thread
> safe and would be troublesome to make thread safe.
>
> Storing the data in the environment really isn't an option, as it is
> sensitive.
I thought the PAM environment (pam_putenv, pam_setenv) is a separate
namespace to the regular environment space and not visible to other
users. (Or are you worried about the PAM application or other PAM
modules getting their hands on this data?)
> Is there another solution that you could suggest?
Is the PAM password authentication (via a "blind" conversation function)
in 3.9p1 usable for you? It doesn't fork, and it would be relatively
easy to backport if necessary. It's no good for real challenge-response
though.
> How do you plan to fix 688?
Possibly, if there's some cure that isn't worse than the disease. So
far, one hasn't been obvious :-)
> does the fix have an ETA?
Not right now.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list