Bug#342157: openssh-server: calls PAM auth and setcred in different contexts
Package: openssh-server
Version: 1:4.2p1-5
Severity: important
Apologies if this was already reported. I went through the PAM bugs and
didn't see it, other than as a comment in #63460 which is a different
issue.
The Debian PAM mini-policy says:
1) Use the same PAM handle for all operations. This means it is
not OK to call pam_start once for authentication and then later for
session management. Modules need to be able to store pam_data between
entry points.
However, openssh-server starts a subprocess to do PAM authentication when
ChallengeResponseAuthentication is enabled. It then tries to lift any
environment variables set by pam_authenticate to the parent process using
pam_getenvlist, but that doesn't do anything for data items set by
pam_set_data.
This, among other things, breaks the libpam-krb5 currently in unstable.
It's possible to work around this by using a temporary disk file for a
credential cache, and I've written a workaround, but it's a bit ugly and
it would be nice to be able to rely on the Debian PAM mini-policy being
followed by all PAM-using applications. I don't really understand why
upstream chose to do PAM authentication in such a horribly convoluted way.
It would be very nice if openssh-server could be modified to not fork that
separate [pam] subprocess and instead do the PAM authentication calls in
the parent process. I expect this will break various other PAM modules
that rely on the separation between pam_authenticate and pam_setcred.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Versions of packages openssh-server depends on:
ii adduser 3.79 Add and remove users and groups
ii debconf [debconf-2.0] 1.4.59 Debian configuration management sy
ii dpkg 1.13.11.0.1 package maintenance system for Deb
ii libc6 2.3.5-8 GNU C Library: Shared libraries an
ii libcomerr2 1.38-2 common error description library
ii libkrb53 1.4.3-3 MIT Kerberos runtime libraries
ii libpam-modules 0.79-3 Pluggable Authentication Modules f
ii libpam-runtime 0.79-3 Runtime support for the PAM librar
ii libpam0g 0.79-3 Pluggable Authentication Modules l
ii libselinux1 1.26-1 SELinux shared libraries
ii libssl0.9.8 0.9.8a-3 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii openssh-client 1:4.2p1-5 Secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3-8 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
ssh/insecure_rshd:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/encrypted_host_key_but_no_keygen:
ssh/disable_cr_auth: false
Reply to: