Possible security flaw in OpenSSH and/or pam_krb5

Damien Miller djm at mindrot.org
Fri Jun 17 15:49:11 EST 2005


Frank Cusack wrote:
>> I have a long list too.  As OpenSolaris comes online we'll have lots of
>> opportunity to go over these lists, design and implement improvements.
>>
>> As for the conversation function issue you have, I've advised the
>> OpenSSH team before on how to handle the matter,
> 
> As have I.  It's not difficult.  The portable openssh team just doesn't
> get PAM, and apparently doesn't WANT to (I say this because it's not
> that hard).

We do get PAM, we just don't feel the need to rewrite our application to
cope with its terrible interface. What we have works with the vast
majority of PAM modules and the module that does regularly cause
problems (pam_krb5) replicates functionality largely integrated into
OpenSSH anyway.

But, if you really care, then you can help lobby for a modern, saner PAM
API and obviate this whole mess. We have tried before, the Sun people
don't seem to care and the Linux-PAM people are asleep at the switch
(they don't even seem to respond to serious bug reports these days).

Or, you can submit patches - many of yours have been gratefully accepted
in the past and, as you say, "it's not that hard".

Or, you can continue to whinge from the sidelines and keep the status
quo.

-d




More information about the openssh-unix-dev mailing list