[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos

Darren Tucker dtucker at zip.com.au
Mon Jan 26 22:07:10 EST 2004


Jeffrey Hutzelman wrote:
> On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <dean at av8.com> 
> wrote:
> 
>> On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
>>
>>> Worse, it would not solve the problem.  The trouble here is not that AFS
>>> tokens are stored in a kernel data structure instead of a file.  It's
>>> that  they are indexed by a value which must be set on login, inherited
>>> from each  process by its children, and must not be changeable by the
>>> user (to prevent  token stealing).  OpenSSH loses not because you need
>>> special code to set  tokens, and not even because you need special code
>>> to generate a new PAG --  those things can be done by a PAM module.
>>> OpenSSH loses because the PAM  session module gets called outside the
>>> inheritance chain of the user's  shell, which means it can't set a PAG
>>> or anything else that is inherited  across a fork (e.g. groups,
>>> environment variables, resource limits, etc etc  etc).
>>
>>
>> Right. And there is an easy solution: Turn off Privsep.
> 
> 
> Sadly, this doesn't make any difference.  OpenSSH 3.7.1 and later run 
> PAM session modules in a subprocess unrelated to the eventual user 
> shell, regardless of whether privsep is enabled.  AFAIK, in earlier 
> versions, it works fine even with privsep, because while such things may 
> be run in a subprocess, they are run in a subprocess that ends up being 
> an ancestor of the user shell.

You can try:

./configure --with-cflags=-DUSE_POSIX_THREADS --with-ldflags=-lpthread

(or whichever library contains threads on your platform) and the PAM 
authentication code will be run as a thread.

See:
http://bugzilla.mindrot.org/show_bug.cgi?id=688

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the Kerberos mailing list