SSH and PAM concerns
Hi. I try not to follow OpenSSH development, but from time to time I
cannot avoid running into new developments in the OpenSSH code base.
It's my understanding that the ssh 3.7 codebase has new PAM handling.
I don't know exactly what ended up getting released, but at least one
version of the code would break a lot of PAM modules.
I'd like to draw your attention to the PAM minipolicy found in
/usr/share/doc/libpam0g. This document does not actually have the
force of policy in that it is not in the Debian policy document, but
it certainly in a set of guidelines for interoperability. If the
Debian ssh package ends up adopting PAM code that violates these
guidelines it will break user expectations.
I believe that it is important that the default behavior of the ssh
package:
1) call all the PAM modules in a process that will ultimately be
inherited by the user's session. The PAM modules need to be able
to change the environment and other attributes of the process. I
realize that environment could be handled another way, but we
cannot enumerate all the possible attributes of a process that
people may wish to change using PAM modules and the only way we can
guarantee that things work is for the PAM modules to be called in a
process that ends up starting the user session.
2) The PAM callbacks need to run as root.
3) pam_close_session and pam_end need to be called in the same process
or a process that inherits from the process where PAM callbacks
are, using the same PAM handle. I.E. you cannot call pam_start
and pam_open_session in one process then pam_start and
pam_close_session in another module.
If the new PAM code in the openssh packages violates these
constraints, we should probably discuss how we want to handle things.
Reply to: