Slawa Olhovchenkov <s...@zxy.spb.ru> writes: > Dag-Erling Smørgrav <d...@des.no> writes: > > PAM authentication in OpenSSH was broken for non-trivial cases when > > privilege separation was implemented. Fixing it properly would be > > very difficult. > Same behaviour with 'UsePrivilegeSeparation no'. This issuse not in > privilege separation, this is because PAM authentication use pthread > emulation throw fork().
Please don't tell me how the code works. I wrote it - or rather, I wrote a version that worked, before the OpenSSH developers implemented privilege separation and had to break the PAM integration code to make it fit. Even if you #define UNSUPPORTED_POSIX_THREADS_HACK to use threads instead of a subprocess, OpenSSH will still call pam_start() twice and lose the data stored in the authentication phase before running the session phase. (this is technically an abuse of the PAM API; I should probably add a few lines to the OpenPAM dispatcher so it logs an error every time an application tries to open a session without first authenticating) DES -- Dag-Erling Smørgrav - d...@des.no _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
