On Fri, Aug 30, 2013 at 02:51:44PM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov <[email protected]> writes: > > Dag-Erling Sm??rgrav <[email protected]> writes: > > > PAM authentication in OpenSSH was broken for non-trivial cases when > > > privilege separation was implemented. Fixing it properly would be > > > very difficult. > > Same behaviour with 'UsePrivilegeSeparation no'. This issuse not in > > privilege separation, this is because PAM authentication use pthread > > emulation throw fork(). > > Please don't tell me how the code works. I wrote it - or rather, I > wrote a version that worked, before the OpenSSH developers implemented > privilege separation and had to break the PAM integration code to make > it fit. Even if you #define UNSUPPORTED_POSIX_THREADS_HACK to use > threads instead of a subprocess, OpenSSH will still call pam_start() > twice and lose the data stored in the authentication phase before > running the session phase.
Hmmm, now I try to compile sshd with UNSUPPORTED_POSIX_THREADS_HACK and it works (/tmp/krb5cc_NNNN created, kerberosied login to other host working w/o entering password). And I see only one record in log file (debug1: PAM: initializing for "slw") What I missed? PS: UsePrivilegeSeparation yes > (this is technically an abuse of the PAM API; I should probably add a > few lines to the OpenPAM dispatcher so it logs an error every time an > application tries to open a session without first authenticating) > > DES > -- > Dag-Erling Sm??rgrav - [email protected] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
