Possible security flaw in OpenSSH and/or pam_krb5
Nicolas Williams
Nicolas.Williams at sun.com
Sat Jun 18 04:28:55 EST 2005
On Fri, Jun 17, 2005 at 03:49:11PM +1000, Damien Miller wrote:
> Frank Cusack wrote:
> >As have I. It's not difficult. The portable openssh team just doesn't
> >get PAM, and apparently doesn't WANT to (I say this because it's not
> >that hard).
>
> We do get PAM, we just don't feel the need to rewrite our application to
> cope with its terrible interface. What we have works with the vast
> majority of PAM modules and the module that does regularly cause
> problems (pam_krb5) replicates functionality largely integrated into
> OpenSSH anyway.
>
> But, if you really care, then you can help lobby for a modern, saner PAM
> API and obviate this whole mess. We have tried before, the Sun people
> don't seem to care and the Linux-PAM people are asleep at the switch
> (they don't even seem to respond to serious bug reports these days).
PAM can and will get better, but don't expect the interaction-through-
callback functions aspect of it to change anytime soon -- it can't, not
in a way that is backwards compatible with existing PAM applications and
modules. If you want a fix for that then you must either lobby for a
shim that uses threading to provide an iterative interface or for a
replacement for PAM altogether.
I don't think PAM is going away though, and since PAM application
developers _can_ cope with those callbacks I don't see much incentive
for PAM implementors to provide an iterative shim atop PAM. Since you
say you'll take patches I assume that getting OpenSSH to handle PAM
properly is really just a matter of resources and therefore really a
matter of time.
No, I don't have time to write patches for the lates portable OpenSSH,
so don't expect any patches from me anytime soon...
Cheers,
Nico
--
More information about the openssh-unix-dev
mailing list