[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos

To: Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: [OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos
From: Darren Tucker <dtucker@zip.com.au>
Date: Tue, 27 Jan 2004 14:07:10 +1100
CC: Dean Anderson <dean@av8.com>, heimdal-discuss@sics.se, kerberos@mit.edu, openafs-devel@openafs.org, "Henry B. Hotz" <hotz@jpl.nasa.gov>, OpenSSH Devel List <openssh-unix-dev@mindrot.org>, "Douglas E. Engert" <deengert@anl.gov>
In-Reply-To: <23870000.1075157467@mariner.pc.cs.cmu.edu>
References: <Pine.LNX.4.44.0401261707090.5519-100000@localhost.localdomain> <23870000.1075157467@mariner.pc.cs.cmu.edu>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

Jeffrey Hutzelman wrote:
> On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <dean@av8.com> 
> wrote:
> 
>> On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
>>
>>> Worse, it would not solve the problem.  The trouble here is not that AFS
>>> tokens are stored in a kernel data structure instead of a file.  It's
>>> that  they are indexed by a value which must be set on login, inherited
>>> from each  process by its children, and must not be changeable by the
>>> user (to prevent  token stealing).  OpenSSH loses not because you need
>>> special code to set  tokens, and not even because you need special code
>>> to generate a new PAG --  those things can be done by a PAM module.
>>> OpenSSH loses because the PAM  session module gets called outside the
>>> inheritance chain of the user's  shell, which means it can't set a PAG
>>> or anything else that is inherited  across a fork (e.g. groups,
>>> environment variables, resource limits, etc etc  etc).
>>
>>
>> Right. And there is an easy solution: Turn off Privsep.
> 
> 
> Sadly, this doesn't make any difference.  OpenSSH 3.7.1 and later run 
> PAM session modules in a subprocess unrelated to the eventual user 
> shell, regardless of whether privsep is enabled.  AFAIK, in earlier 
> versions, it works fine even with privsep, because while such things may 
> be run in a subprocess, they are run in a subprocess that ends up being 
> an ancestor of the user shell.

You can try:

./configure --with-cflags=-DUSE_POSIX_THREADS --with-ldflags=-lpthread

(or whichever library contains threads on your platform) and the PAM 
authentication code will be run as a thread.

See:
http://bugzilla.mindrot.org/show_bug.cgi?id=688

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Prev by Date: db4.1
Next by Date: Re: openssh + heimdal: real nightmare
Prev by thread: db4.1
Next by thread: Build environment incomplete and how to handle that.
Index(es):
- Date
- Thread