Lev Serebryakov <[email protected]> writes: > Dag-Erling Smørgrav <[email protected]> writes: > > We're not just talking about a bug in sshd. We're talking about a > > fundamentally broken paradigm which affects *all* applications. > How does it affect second-most-used-login application -- login(1)?
I don't think login(1) is anywhere near second place - but yes, login(1) is affected too. Everything that uses PAM is affected by the need to have a process wait around to call pam_close_session(). Many, but not all, PAM applications are also affected by PAM's reliance on callbacks for user interaction (this is a major problem for OpenSSH). Performing authentication in the same process that accepts and parses input from potentially hostile users is also a huge security issue, cf. privilege separation. > And, yes, what do you mean by "fundamentally broken paradigm" here? > PAM itself? PAM, NSS, everything. Using separate APIs with separate backends for identification and authentication, shoehorning modern identity databases into the 40-year-old getpwnam() API - everything. DES -- Dag-Erling Smørgrav - [email protected] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
