[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos

Dean Anderson dean at av8.com
Tue Jan 27 18:58:36 EST 2004


On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:

> On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <dean at av8.com> 
> wrote:
> 
> > On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
> >
> >> Worse, it would not solve the problem.  The trouble here is not that AFS
> >> tokens are stored in a kernel data structure instead of a file.  It's
> >> that  they are indexed by a value which must be set on login, inherited
> >> from each  process by its children, and must not be changeable by the
> >> user (to prevent  token stealing).  OpenSSH loses not because you need
> >> special code to set  tokens, and not even because you need special code
> >> to generate a new PAG --  those things can be done by a PAM module.
> >> OpenSSH loses because the PAM  session module gets called outside the
> >> inheritance chain of the user's  shell, which means it can't set a PAG
> >> or anything else that is inherited  across a fork (e.g. groups,
> >> environment variables, resource limits, etc etc  etc).
> >
> > Right. And there is an easy solution: Turn off Privsep.
> 
> Sadly, this doesn't make any difference.  OpenSSH 3.7.1 and later run PAM 
> session modules in a subprocess unrelated to the eventual user shell, 

Nope. OpenSSH 3.7.1p1 works for me with privsep turned off. When privsep
is turned off, there is no subprocess.  3.7.1p1 has some additional
breakage, in that if your ssh client doesn't support 'interactive/pam' as
a method, then it won't send anything to pam. This means that only openssh
clients work with pam on openssh servers. E.g., putty won't work.

I will probably release a derivative version of openssh that supports pam,
and doesn't have privsep.

		--Dean

> regardless of whether privsep is enabled.  AFAIK, in earlier versions, it 
> works fine even with privsep, because while such things may be run in a 
> subprocess, they are run in a subprocess that ends up being an ancestor of 
> the user shell.
> 
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
>    Sr. Research Systems Programmer
>    School of Computer Science - Research Computing Facility
>    Carnegie Mellon University - Pittsburgh, PA
> 
> 



More information about the Kerberos mailing list