[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos
Jeffrey Hutzelman wrote:
> On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <firstname.lastname@example.org>
>> On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
>>> Worse, it would not solve the problem. The trouble here is not that AFS
>>> tokens are stored in a kernel data structure instead of a file. It's
>>> that they are indexed by a value which must be set on login, inherited
>>> from each process by its children, and must not be changeable by the
>>> user (to prevent token stealing). OpenSSH loses not because you need
>>> special code to set tokens, and not even because you need special code
>>> to generate a new PAG -- those things can be done by a PAM module.
>>> OpenSSH loses because the PAM session module gets called outside the
>>> inheritance chain of the user's shell, which means it can't set a PAG
>>> or anything else that is inherited across a fork (e.g. groups,
>>> environment variables, resource limits, etc etc etc).
>> Right. And there is an easy solution: Turn off Privsep.
> Sadly, this doesn't make any difference. OpenSSH 3.7.1 and later run
> PAM session modules in a subprocess unrelated to the eventual user
> shell, regardless of whether privsep is enabled. AFAIK, in earlier
> versions, it works fine even with privsep, because while such things may
> be run in a subprocess, they are run in a subprocess that ends up being
> an ancestor of the user shell.
You can try:
./configure --with-cflags=-DUSE_POSIX_THREADS --with-ldflags=-lpthread
(or whichever library contains threads on your platform) and the PAM
authentication code will be run as a thread.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.