Debian openssh option review: considering splitting out GSS-API key exchange

Howard Chu hyc at
Tue Apr 2 14:17:04 AEDT 2024

Damien Miller wrote:
> Another thing we're considering in OpenSSH is changing how we integrate
> with PAM. PAM's API demands loading modules into the authenticating
> process' address space, but obviously we've just been reminded that this
> is risky.

This was a long-standing problem with pam/nss-ldap, which we solved by moving all of the
actual libldap invocations to a separate nslcd process, and only communicated to it
across a unix domain socket via stubs in the pam/nss modules. Mixing instances of libraries
that applications call directly, with instances loaded implicitly by system-level mechanisms,
was always a bad idea and caused endless problems, even without malicious attackers.

> I think that I would prefer to move to a model where there PAM auth and
> account modules run in a helper process, and only the session module
> runs in the unprivileged post-auth sshd process.

We could probably generalize the stub wrapping that we used for nss/pam-ldapd / nslcd to
be a generic interface to a standalone pamd that actually loads the pam modules. Should
be a simple job.

> This means that PAM auth/account modules and their transitive library
> dependencies cannot affect the sshd address space. They would still
> likely need to run with privilege, could still fail permissively in
> unwanted situations and might still be able to cause problems directly
> (e.g. opening a reverse shell from the PAM module itself), but they
> would no longer have direct access to the contents of sshd network
> traffic, signatures, etc that are extremely useful in building NOBUS
> ( backdoors like the xv one.
> Where this gets challenging is that some PAM modules make assumptions
> that the auth, account and session modules all run in the same address
> space. These would break until re-architected to pass things explicitly,
> e.g. via environment variables, temp files, etc.

  -- Howard Chu
  CTO, Symas Corp. 
  Director, Highland Sun
  Chief Architect, OpenLDAP

More information about the openssh-unix-dev mailing list