[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Darren Tucker
dtucker at zip.com.au
Sun Feb 1 18:11:01 EST 2004
(Reply-To set to openssh-unix-dev only)
Dean Anderson wrote:
> On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
>>Sadly, this doesn't make any difference. OpenSSH 3.7.1 and later run PAM
>>session modules in a subprocess unrelated to the eventual user shell,
That is not correct. Even with privsep, the session modules are run in
the shell's immediate parent (as root). (This is trivial to test: add a
debug call at the start of do_pam_session() to output its pid, then
compare it with the ppid of the shell.)
It is true that pam_authenticate() is called in a process that's not a
direct ancestor of the shell, and because of that, sshd now (ie
post-3.7.1p2) goes to some length to export the state set by that
process. This is true with or without privsep.
> Nope. OpenSSH 3.7.1p1 works for me with privsep turned off. When privsep
> is turned off, there is no subprocess.
There are other differences in behaviour which may be the cause of what
you're seeing, eg pam_setcred will be called as non-root when privsep is
off. See:
http://bugzilla.mindrot.org/show_bug.cgi?id=789
> 3.7.1p1 has some additional
> breakage, in that if your ssh client doesn't support 'interactive/pam' as
> a method, then it won't send anything to pam. This means that only openssh
> clients work with pam on openssh servers. E.g., putty won't work.
That is not correct either. For SSHv2, PAM on 3.7p1 and up uses
keyboard-interactive (which is an internet-draft, the same as the rest
of SSHv2, see [1]) which is supported by most clients, including PuTTY.
For SSHv1, PAM uses TIS challenge-response authentication, which is also
supported by PuTTY, but is disabled by default. To enable it, click the
little checkbox at Connection -> SSH -> Auth -> Attempt TIS or
Cryptocard authentication (SSH1).
If, however, you do not disable PasswordAuthentication as per the UsePAM
man page entry then it's possible to authenticate without going through
PAM. To fix this, set "PasswordAuthentication no" in sshd_config like
the man page says.
[1]
http://www.ietf.org/internet-drafts/draft-ietf-secsh-auth-kbdinteract-05.txt
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the Kerberos
mailing list