Debian openssh option review: considering splitting out GSS-API key exchange
Howard Chu
hyc at symas.com
Tue Apr 2 14:17:04 AEDT 2024
Damien Miller wrote:
> Another thing we're considering in OpenSSH is changing how we integrate
> with PAM. PAM's API demands loading modules into the authenticating
> process' address space, but obviously we've just been reminded that this
> is risky.
This was a long-standing problem with pam/nss-ldap, which we solved by moving all of the
actual libldap invocations to a separate nslcd process, and only communicated to it
across a unix domain socket via stubs in the pam/nss modules. Mixing instances of libraries
that applications call directly, with instances loaded implicitly by system-level mechanisms,
was always a bad idea and caused endless problems, even without malicious attackers.
> I think that I would prefer to move to a model where there PAM auth and
> account modules run in a helper process, and only the session module
> runs in the unprivileged post-auth sshd process.
We could probably generalize the stub wrapping that we used for nss/pam-ldapd / nslcd to
be a generic interface to a standalone pamd that actually loads the pam modules. Should
be a simple job.
> This means that PAM auth/account modules and their transitive library
> dependencies cannot affect the sshd address space. They would still
> likely need to run with privilege, could still fail permissively in
> unwanted situations and might still be able to cause problems directly
> (e.g. opening a reverse shell from the PAM module itself), but they
> would no longer have direct access to the contents of sshd network
> traffic, signatures, etc that are extremely useful in building NOBUS
> (https://en.wikipedia.org/wiki/NOBUS) backdoors like the xv one.
>
> Where this gets challenging is that some PAM modules make assumptions
> that the auth, account and session modules all run in the same address
> space. These would break until re-architected to pass things explicitly,
> e.g. via environment variables, temp files, etc.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the openssh-unix-dev
mailing list