Possible security flaw in OpenSSH and/or pam_krb5
Nicolas Williams
Nicolas.Williams at sun.com
Thu Jun 23 06:27:49 EST 2005
On Wed, Jun 22, 2005 at 10:19:21AM +1000, Darren Tucker wrote:
> 3) PAM's blocking callback conversation interface makes using it from
> sshd harder than it has to be. Similarly functional authentication
> systems with reentrant interfaces can be used with much less code (like
> an order of magnitude less).
This won't go away. It's not that we disagree about this aspect of PAM
-- whether we do is irrelevant as we can't actually change this now.
> 6) The multiple-messages part of the PAM conversation protocol (ie
> allowing more than one message per call to the conversation function) is
> more complex than necessary and this has been a source of bugs.
Same thing.
[...]
> It was in the FreeBSD code on which the current PAM code is based, and
> since then it's been the only general solution to modules that rely on
> pam_set_data/pam_get_data (in the main distribution, anyway).
I'm not sure what you mean -- I've given you a general solution that
works for such modules (it works, I know, because Solaris 10's sshd
implements it) and which does not require threading.
It's not a patch, but, here's some pared down, annotated output from
DTrace that shows the event loop nesting in Solaris 10's sshd (note:
Solaris 10's sshd does not privsep before completion of userauth):
# /tmp/sshd.d 8309
dtrace: script '/tmp/sshd.d' matched 1437 probes
CPU FUNCTION
1 -> do_authentication2 0
1 -> dispatch_run 13856
1 | dispatch_run:entry 13856
<much of userauth "none" processing cut>
1 -> auth2_read_banner 379472
1 <- auth2_read_banner 386369
1 -> auth_password 387699
1 <- auth_password 402011
1 -> userauth_finish 403775
1 -> userauth_check_partial_failure 405446
1 <- userauth_check_partial_failure 406731
<userauth "none" failed>
1 -> auth_log 408421
1 -> get_remote_ipaddr 410243
1 <- get_remote_ipaddr 411812
1 -> get_remote_port 413205
1 <- get_remote_port 428302
1 -> verbose 429356
1 -> do_log 429892
1 <- verbose 450636
1 <- auth_log 451936
1 -> packet_start 452725
1 <- packet_start 457191
1 -> packet_put_cstring 500193
1 <- packet_put_cstring 508796
1 -> packet_put_char 509939
1 <- packet_put_char 513020
1 -> packet_send 514925
1 <- packet_send 547312
1 -> packet_write_wait 547903
1 <- packet_write_wait 566347
1 <- userauth_finish 567698
<beginning of next userauth processing>
1 -> packet_read_seqnr 572016
1 <- packet_read_seqnr 631496
1 -> packet_get_string 632414
1 <- packet_get_string 638528
1 -> packet_get_string 638987
1 <- packet_get_string 644063
1 -> packet_get_string 644523
1 <- packet_get_string 649537
1 -> userauth_user_svc_change 674585
1 <- userauth_user_svc_change 691131
1 -> packet_get_string 700603
1 <- packet_get_string 706340
1 -> packet_get_string 706856
1 <- packet_get_string 712194
1 -> packet_remaining 712781
1 <- packet_remaining 714279
<it's keyboard-interactive, so call auth2_pam()>
1 -> auth2_pam 724581
1 -> new_start_pam 726072
1 -> derive_pam_svc_name 727367
1 <- derive_pam_svc_name 755245
1 -> fatal_add_cleanup 1032515
1 <- fatal_add_cleanup 1035132
1 -> get_remote_name_or_ip 1036371
1 -> get_canonical_hostname 1037855
1 <- get_canonical_hostname 1101406
1 <- get_remote_name_or_ip 1102800
1 <- new_start_pam 1107792
<set handlers for kbd-int packets>
1 -> dispatch_set 1108655
1 <- dispatch_set 1113516
<call pam_authenticate()>
1 -> pam_authenticate 1130453
<a Solaris PAM module calls a [private] utility function,
__pam_get_authtok() which calls sshd's conversation
function>
1 -> __pam_get_authtok 6498087
<sshd's conversation sends a kbd-int info request>
1 -> packet_start 6552542
1 <- packet_start 6563018
1 -> packet_put_cstring 6564168
1 <- packet_put_cstring 6577362
1 -> packet_put_cstring 6577891
1 <- packet_put_cstring 6584951
1 -> packet_put_cstring 6585452
1 <- packet_put_cstring 6592388
1 -> packet_put_int 6593677
1 <- packet_put_int 6597691
1 -> packet_put_cstring 6598208
1 <- packet_put_cstring 6605226
1 -> packet_put_char 6606352
1 <- packet_put_char 6609471
1 -> packet_send 6610941
1 <- packet_send 6664941
1 -> packet_write_wait 6666370
1 <- packet_write_wait 6705383
<re-enter dispatch_run(), wait for reply>
1 -> dispatch_run 6720321
1 | dispatch_run:entry 6720321
<kbd-int info reply arrives>
1 -> packet_read_seqnr 6722072
1 -> packet_write_wait 6724104
1 <- packet_write_wait 6730510
1 -> packet_read_poll_seqnr 6731721
1 <- packet_read_poll_seqnr 6734729
1 -> packet_process_incoming 6760386
1 <- packet_process_incoming 6770437
1 -> packet_read_poll_seqnr 6772402
1 <- packet_read_poll_seqnr 6872951
1 <- packet_read_seqnr 6879365
<process reply, convert to PAM response>
1 -> packet_get_int 6881555
1 <- packet_get_int 6887511
1 -> packet_get_string 6916314
1 <- packet_get_string 6928744
1 -> packet_remaining 6935389
1 <- packet_remaining 6939064
<reply was processed -- return from dispatch_run() to
conversation function>
1 <- dispatch_run 6940502
<conversation function returns to PAM module>
1 <- __pam_get_authtok 7035803
<pam_authenticate() finishes>
1 <- pam_authenticate 7605627
1 -> finish_userauth_do_pam 8821420
<not shown: calls to other PAM functions>
1 <- finish_userauth_do_pam 10510750
<clear callbacks for kbd-int>
1 -> dispatch_set 10547432
1 <- dispatch_set 10548814
1 <- auth2_pam 10550165
<finish up>
1 -> userauth_finish 10556711
1 -> userauth_check_partial_failure 10558469
1 <- userauth_check_partial_failure 10560198
1 -> auth_log 10562387
1 -> userauth_check_partial_failure 10563212
1 <- userauth_check_partial_failure 10563714
1 -> get_remote_ipaddr 10565341
1 <- get_remote_ipaddr 10567068
1 -> get_remote_port 10568399
1 <- get_remote_port 10586765
1 -> log 10588052
1 -> do_log 10588591
1 <- log 10608479
1 <- auth_log 10609878
1 -> dispatch_set 10610566
1 <- dispatch_set 10611042
1 -> packet_start 10612593
1 <- packet_start 10622025
1 -> packet_send 10623533
1 <- packet_send 10674599
1 -> packet_write_wait 10676102
1 -> packet_write_poll 10679960
1 <- packet_write_poll 10702504
1 -> packet_have_data_to_write 10703694
1 <- packet_have_data_to_write 10705721
1 <- packet_write_wait 10707897
1 <- userauth_finish 10709301
<exit outer even loop>
1 <- dispatch_run 10713892
1 <- do_authentication2 63914715
Nico
--
More information about the openssh-unix-dev
mailing list