Slawa Olhovchenkov <[email protected]> writes: > Dag-Erling Smørgrav <[email protected]> writes: > > PAM authentication in OpenSSH was broken for non-trivial cases when > > privilege separation was implemented. Fixing it properly would be > > very difficult. > Same behaviour with 'UsePrivilegeSeparation no'. This issuse not in > privilege separation, this is because PAM authentication use pthread > emulation throw fork().
Please don't tell me how the code works. I wrote it - or rather, I wrote a version that worked, before the OpenSSH developers implemented privilege separation and had to break the PAM integration code to make it fit. Even if you #define UNSUPPORTED_POSIX_THREADS_HACK to use threads instead of a subprocess, OpenSSH will still call pam_start() twice and lose the data stored in the authentication phase before running the session phase. (this is technically an abuse of the PAM API; I should probably add a few lines to the OpenPAM dispatcher so it logs an error every time an application tries to open a session without first authenticating) DES -- Dag-Erling Smørgrav - [email protected] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
