package: ssh severity: serious justification: breaks unrelated packages; violation of pam mini-policy tags: sarge, sid, patch Hi. During the ssh 3.7 and 3.8 porting effort I pointed out on debian-ssh that you needed to be aware of issues surrounding PAM support in openssh starting with 3.7. The problem is that the fine folks at openssh had some trouble with their event loop and decided to spin the pam authentication stuff off into its own process. This is bad because it breaks pam in several ways. The primary way is the same authentication handle is not used for both the pam_authenticate vs pam_open_session/pam_setcred. This is bad because it prevents pam modules from setting up credentials and writing them out/enabling them during the set_cred phase. It breaks several pam modules, most notably from my standpoint pam_krb5. It's also a violation of how PAM is intended to be used. For this reason it is a violation of the Debian PAM mini-policy found in /usr/share/doc/libpam0g on all Debian systems. The OpenSSH folks did provide a fix: the -DUSE_POSIX_THREADS compiler option. Unfortunately this is disabled in the ssh package. Here's a patch to fix this. I consider this problem fairly serious and hope we can come to quick agreement on a solution for sarge. ---------------------------------------------------------------------- r228: hartmans | 2004-10-26T17:36:39.333006Z Enable posix threads for pam so everything is in one address space ---------------------------------------------------------------------- === trunk/openssh-krb5/debian/rules ================================================================== --- trunk/openssh-krb5/debian/rules (revision 227) +++ trunk/openssh-krb5/debian/rules (revision 228) @@ -64,10 +64,10 @@ mkdir -p build-deb (cd build-deb && ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 \ --with-privsep-path=/var/run/sshd --without-rand-helper --with-kerberos5=/usr --with-kerberos4=/usr \ - --disable-strip) + --disable-strip --with-ldflags='-pthread' ) # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999). perl -pi -e 's/.*#undef (BROKEN_SETRES[UG]ID).*/#define $$1 1/' build-deb/config.h - $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_VERSION="\"$(SSH_VERSION)\""' SSH_KEYSIGN='/usr/lib/ssh-keysign' + $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -DUSE_POSIX_THREADS -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_VERSION="\"$(SSH_VERSION)\""' SSH_KEYSIGN='/usr/lib/ssh-keysign' touch build-deb-stamp
Attachment:
pgpaSJMqjZVJ1.pgp
Description: PGP signature