Possible security flaw in OpenSSH and/or pam_krb5

Frank Cusack fcusack at fcusack.com
Tue Jun 21 10:19:07 EST 2005


On June 17, 2005 3:49:11 PM +1000 Damien Miller <djm at mindrot.org> wrote:
> Frank Cusack wrote:
>>> I have a long list too.  As OpenSolaris comes online we'll have lots of
>>> opportunity to go over these lists, design and implement improvements.
>>>
>>> As for the conversation function issue you have, I've advised the
>>> OpenSSH team before on how to handle the matter,
>>
>> As have I.  It's not difficult.  The portable openssh team just doesn't
>> get PAM, and apparently doesn't WANT to (I say this because it's not
>> that hard).
>
> We do get PAM, we just don't feel the need to rewrite our application to
> cope with its terrible interface. What we have works with the vast
> majority of PAM modules

But it does not follow the API correctly.  Isn't correctness a priority
for the openssh folks?  It's not just the conversation function handling
that's broken in openssh.

One of the large benefits of PAM is that organizations can write their
own authentication functionality without having to rewrite every application.
You are (to an admittedly small degree) reducing the effectiveness of PAM;
rather, for organizations that need such correctness, you are increasing
their exposure by forcing them to maintain their own openssh.  Yes, that
must be a conscious decision on the part of such organizations, but their
hand is forced nonetheless.

> and the module that does regularly cause
> problems (pam_krb5) replicates functionality largely integrated into
> OpenSSH anyway.

Publicly available module, you mean.

> But, if you really care, then you can help lobby for a modern, saner PAM
> API and obviate this whole mess. We have tried before, the Sun people
> don't seem to care and the Linux-PAM people are asleep at the switch
> (they don't even seem to respond to serious bug reports these days).
>
> Or, you can submit patches - many of yours have been gratefully accepted
> in the past and, as you say, "it's not that hard".
>
> Or, you can continue to whinge from the sidelines and keep the status
> quo.

That's laughable.

Anyway, I withdraw my comment as I see (now that I examine recent sources)
that PAM support is steadily improving.  Documenting threads as an ugly hack
is one of those nice improvements, IMHO.  Why you added it in the first place
is beyond my understanding.  As is why you refuse fairly trivial patches to
correctly handle PAM conversations.  Yet you have ugly code in there which
supports much more obscure systems.  (Although I hate to say that, because
I myself always reject arguments for brokenness that are based on existing
brokenness; just because something is already broken doesn't mean you make
it more broken.  But we're not talking about breaking openssh, we're talking
about improving it, from a system compatibility POV.)

Frank




More information about the openssh-unix-dev mailing list