Re: OpenSSH and pam_krb5
From: Fredrik Tolf (fredrik_at_dolda2000.com)
Date: Sat, 17 Apr 2004 16:14:49 +0200 To: Darren Tucker <email@example.com>
Darren Tucker writes:
> Fredrik Tolf wrote:
> > Darren Tucker writes:
> > > Yes, this is a known issue:
> > > http://bugzilla.mindrot.org/show_bug.cgi?id=688
> > I see - I almost guessed so, although I'm quite surprised it isn't
> > fixed (I can't believe I missed that Bugzilla, though... :-/ ). I
> > would have thought that Kerberos would be popular enough to draw
> > attention to this. Thanks for bringing that to my attention. I'll have
> > to take a closer look at the source and see if there's a way to fix
> > it.
> Good luck, fixing this looks hard when using keyboard-interactive
> because PAM deliberately hides the information sshd would need to
> export. I have a couple of possibly viable ideas, I'll attach them to
> the bug when I rewrite the details a bit.
Precisely what I was thinking as well... I was merely hoping that
maybe PAM specifies that the private data must be contained within a
well-defined memory space in order to make it copyable. Unfortunately
I seem to have lost my PAM source for the moment, so I can't verify
that. I do have my doubts, though... :-)
If that fails, I'm kind of hoping that it might be possible to
"switch" functionality so that the main process does the PAM
authentication. I have my doubts about that, too, though...
> > I cannot detect any POSIX thread availability in OpenSSH. Was it
> > introduced in a later version than 3.7.1?
> No, it's in 3.7p1 and up but you must set the flags manually if you
> absolutely need it. These may vary between platforms, but for, eg,
> Solaris it would be:
> ./configure --with-cflags=-DUSE_POSIX_THREADS --with-ldflags=-lpthreads
Yeah, I managed to find that out eventually, only on GNU/Linux it's
-lpthread (singular). I take it this is a rather experimental feature,
considering how concealed it is?
> There's also a compile-time error in that configuration that is fixed in
> either 3.8p1 or the soon-to-be-released 3.8.1p1.
Really? It worked perfectly well for me. I guess it will have to do if
I really can't find another solution. Thank you very much for helping
me with this - my pam_krb5 module finally works, even if it's using an
> Release Notes:
> Change Log (also in release tarball):
I managed to find one in the mailing list archives before I got your
reply. Thanks for your helpfulness, though!