Re: OpenSSH and pam_krb5

From: Fredrik Tolf (fredrik_at_dolda2000.com)
Date: 04/17/04

  • Next message: Darren Tucker: "Re: OpenSSH and pam_krb5" 
    Date: Sat, 17 Apr 2004 16:14:49 +0200
To: Darren Tucker <dtucker@zip.com.au>

    Darren Tucker writes:
    > Fredrik Tolf wrote:
    >
    > > Darren Tucker writes:
    > > > Yes, this is a known issue:
    > > > http://bugzilla.mindrot.org/show_bug.cgi?id=688
    > >
    > > I see - I almost guessed so, although I'm quite surprised it isn't
    > > fixed (I can't believe I missed that Bugzilla, though... :-/ ). I
    > > would have thought that Kerberos would be popular enough to draw
    > > attention to this. Thanks for bringing that to my attention. I'll have
    > > to take a closer look at the source and see if there's a way to fix
    > > it.
    >
    > Good luck, fixing this looks hard when using keyboard-interactive
    > because PAM deliberately hides the information sshd would need to
    > export. I have a couple of possibly viable ideas, I'll attach them to
    > the bug when I rewrite the details a bit.

    Precisely what I was thinking as well... I was merely hoping that
    maybe PAM specifies that the private data must be contained within a
    well-defined memory space in order to make it copyable. Unfortunately
    I seem to have lost my PAM source for the moment, so I can't verify
    that. I do have my doubts, though... :-)

    If that fails, I'm kind of hoping that it might be possible to
    "switch" functionality so that the main process does the PAM
    authentication. I have my doubts about that, too, though...

    > > I cannot detect any POSIX thread availability in OpenSSH. Was it
    > > introduced in a later version than 3.7.1?
    >
    > No, it's in 3.7p1 and up but you must set the flags manually if you
    > absolutely need it. These may vary between platforms, but for, eg,
    > Solaris it would be:
    > ./configure --with-cflags=-DUSE_POSIX_THREADS --with-ldflags=-lpthreads

    Yeah, I managed to find that out eventually, only on GNU/Linux it's
    -lpthread (singular). I take it this is a rather experimental feature,
    considering how concealed it is?

    > There's also a compile-time error in that configuration that is fixed in
    > either 3.8p1 or the soon-to-be-released 3.8.1p1.

    Really? It worked perfectly well for me. I guess it will have to do if
    I really can't find another solution. Thank you very much for helping
    me with this - my pam_krb5 module finally works, even if it's using an
    experimental feature.

    > Release Notes:
    > http://www.openssh.com/txt/release-3.8
    >
    > Change Log (also in release tarball):
    > ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog

    I managed to find one in the mailing list archives before I got your
    reply. Thanks for your helpfulness, though!

    Fredrik Tolf

  • Next message: Darren Tucker: "Re: OpenSSH and pam_krb5"