2014-02-19 3:32 GMT+01:00 Theo de Raadt <dera...@cvs.openbsd.org>: >>2014-02-17 22:12 GMT+01:00 Miod Vallat <m...@online.fr>: >>>> and of course PAM: >>>> >>>> http://blackhatlibrary.net/Hooking_PAM >>> >>> Well, there's a reason why OpenBSD does not embed PAM. It has to do with >>> software giving people enough rope to hang themselves. >> >>PAM its just API. You can write small and simple pam_bsdauth module >>and call stuff in /usr/libexec/auth/ in BSD Auth style, so you can get >>privilege separation etc. but another issue is the simplicity of >>solutions and space to attack, and especially Linux-PAM (vs OpenPAM) >>is terribly overblown. > > Bullshit. > > PAM uses shared library loading to pull (specified shared library) code into > a program, to do the authentication. You have to trust that shared library > code. > > But BSD auth does not do that! It does not require you to pull someone > else's crap code into your binary! > > Saying "it is just API" makes it clear you are not a programmer.
Theo, as a great programmer can you explain to us all what does this piece of code? from L351: https://github.com/freebsd/freebsd/blob/master/contrib/openpam/include/security/openpam.h#L358 /* * Infrastructure for static modules using GCC linker sets. * You are not expected to understand this. */ #if !defined(PAM_SOEXT) # define PAM_SOEXT ".so" #endif #if defined(OPENPAM_STATIC_MODULES) # if !defined(__GNUC__) # error "Don't know how to build static modules on non-GNU compilers" # endif /* gcc, static linking */ # include <sys/cdefs.h> # include <linker_set.h> # define PAM_EXTERN static # define PAM_MODULE_ENTRY(name) \ static char _pam_name[] = name PAM_SOEXT; \ static struct pam_module _pam_module = { \ .path = _pam_name, \ .func = { \ [PAM_SM_AUTHENTICATE] = _PAM_SM_AUTHENTICATE, \ [PAM_SM_SETCRED] = _PAM_SM_SETCRED, \ [PAM_SM_ACCT_MGMT] = _PAM_SM_ACCT_MGMT, \ [PAM_SM_OPEN_SESSION] = _PAM_SM_OPEN_SESSION, \ [PAM_SM_CLOSE_SESSION] = _PAM_SM_CLOSE_SESSION, \ [PAM_SM_CHAUTHTOK] = _PAM_SM_CHAUTHTOK \ }, \ }; \ DATA_SET(_openpam_static_modules, _pam_module) It's terrible, because openssl uses engines, it also is not possible to statically compile binaries. Right?
