On Monday, October 29, 2007 01:00:17 PM +0000 Darren J Moffat
<Darren.Moffat at Sun.COM> wrote:
> 2. PAM - what if we could run PAM in the global zone
>
> This could work and might have other uses. The idea would be
> to have libpam use doors to talk to a global zone process.
> The advantage here is it "fixes" more than just sshd in a
> labeled zone. It also means the authentication happens in
> the Trusted Path.
Unfortunately, it also may mean breaking assumptions about the way PAM
modules interact with the application's environment. For example, a PAM
session module needs to be able to manipulate properties of the new session
such as its supplemental group memberships(*).
It may be possible to run authentication in the global zone and session
management in the calling process, but that introduces interesting problems
with a module communicating with itself via PAM_DATA items, especially when
those items contain references to external resources such as file
descriptors or files (think Kerberos credential caches). It also leaves
open the question of pam_setcred, which may also need access to the new
session, especially in the presence of ill-behaved applications which are
inconsistent in whether they call pam_open_session, pam_setcred, or both,
and in what order (apps included in Solaris should not have this problem,
but many third-party applications do).
(*) That's an example, not an exhaustive list, and I don't think it's
realistic to construct such a list and try to make libpam handle
each case.
> 3. sshd - make it label aware.
>
> It would be wise to make this configurable (ie we could still
> deploy as we do today). However I think this is potentially
> quite complex and there are possible issues with the fact that
> ssh can have multiple channels open at different times in the
> lifecycle of the connection.
I don't think multiple channels are actually an issue. Channel creation
happens within the SSH connection layer, after authentication is complete,
so there is no way to assign different security properties to different
channels.
-- Jeff
