[PATCH] Support ambient capability vector in Linux PAM

Björn Fischer bf at cebitec.uni-bielefeld.de
Sat Oct 2 19:55:56 AEST 2021


Hello Damien,

> I guess my only concern is that this would cause pam_end() to
> potentially be called multiple times, once in the parent process
> (without PAM_DATA_SILENT) and zero to many times in child session
> processes.
> 
> E.g. a forwarding-only session might have no child session process,
> whereas a multiplexed connection might have many child processes,
> all of which will share the same pam_handle.
> 
> How will PAM cope with this?

should work as intended. pam_end() with PAM_DATA_SILENT is sort
of a "light version" of cleanup. Calling this should only free
resources that were duplicated on the previous fork().
Omitting pam_end() in the child code path usually does no harm
as that code path does execve() anyway. But with the latest
additions to pam_cap.so to support the ambient vector, some
more important tasks were included on that code path.

Linux PAM is aware that resources which are needed to maintain
a session should be freed only on pam_end() called by the
parent (without PAM_DATA_SILENT). And so should be the modules.
E.g. have a look at the latest fix for this in the kerberos
module: https://github.com/rra/pam-krb5/issues/21

As pam_end() with PAM_DATA_SILENT should be called once per
fork() (or once per child) there should not be a problem with
forwarding-only or multiplexed connections. At least as long
as the PAM modules conform to the Linux PAM documentation.

Cheers,
	Björn


More information about the openssh-unix-dev mailing list