Package: libpam-openafs-kaserver
Version: 1.2.13-1
Severity: normal
The sshd in sarge appears to build with at least some threading routines
(it's linked against pthread). This triggers the well-known conflict
between the traditional AFS threading method and pthreads and causes the
pam_afs.so PAM module to segfault.
The segfault is normally hidden due to pam_afs.so's default forking
behavior but becomes immediately obvious when dont_fork is used as an
option. It appears to only affect using pam_afs.so for PAM authentication
with sshd, not for regular login authentication (likely because login isn't
linked with pthread).
The solution is the same solution that was required for the AFS Perl module,
namely don't link against the regular AFS libraries but instead link against
libafsauthent and libafsrpc. Those libraries are compatible with pthreads.
Implementing this, given what's done to the build in order to get the PAM
modules to build PIC, looks to be a bit tricky. Eventually those libraries
themselves should be built PIC. The following link line in the src/pam
Makefile works for me:
$(CC) $(LDFLAGS) $(PAM_CFLAGS) -o $@ afs_setcred.o afs_auth.o afs_util.o \
$(SHOBJS) ${TOP_LIBDIR}/libafsrpc.a ${TOP_LIBDIR}/libafsauthent.a \
${TOP_LIBDIR}/util.a ${TOP_LIBDIR}/libafsrpc.a \
${TOP_LIBDIR}/libafsauthent.a -lcrypt -lpam -lresolv -lpthread
but I expect this breaks the fix for PIC PAM modules again.
Please note that this is not actually breaking anything for me, as I have
to use pam_afs.krb.so anyway (at least until I can get our final K5 upgrade
project approved), but since I ran across it and managed to debug it, I
wanted to pass it along to save someone else some time. I'm not sure that
the kaserver PAM module is in widespread enough use to have it be worthwhile
to put the effort into fixing this, at least until good upstream shared
library builds come along and make it easy, but it may be worth a note in
the Debian documentation somewhere.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.26
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Versions of packages libpam-openafs-kaserver depends on:
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libpam0g 0.76-22 Pluggable Authentication Modules l
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
