Christopher Allen Wing wrote: >When 'keyboard-interactive' mode is in use, OpenSSH forks off a separate >process to do PAM authentication. This process then dies, and thus the >credentials cache (which is stored in memory) goes away. > >When 'keyboard-interactive' mode is disabled (and 'password' mode is used >instead), the PAM authentication is done in the same process, so the >credentials cache isn't destroyed.
The credentials are passed between the different stages of ssh authentication via pam_putenv() and pam_getenv() calls. If they occur in separate processes Bad Things happen. With Solaris this usually means core dumps. >There are some #ifdefs in the openssh source which control whether >pthreads are used to call PAM, or a separate process. When pthreads are >used, a new thread is created, PAM calls are made in this thread, and then >the thread terminates. However, the credentials then stick around properly >(since the thread shares memory with the rest of sshd) This is a side effect that happens to work ;-) [...] >However, pthreads appear to be disabled by default in OpenSSH (there is >no --configure option to enable them). So it would be wise to find out why >they decided not to expose this functionality; it's possible that it might >be broken in some other way. There is a good reason for disabling pthreads in the source code of OpenSSH and making it difficult to enable: Every single PAM module on the PAM stack has to be multi-thread safe! So you better know your PAM modules well... The whole PAM stuff (in OpenSSH) is broken! Carsten
pgp9zavpOuYGu.pgp
Description: PGP signature
