Re: OpenSSH 3.8 Released

From: Neil W Rickert (rickert+nn_at_cs.niu.edu)
Date: 02/29/04

  • Next message: Xanadu: "Re: remote ssh not closing after X program run" 
    Date: Sun, 29 Feb 2004 02:05:50 +0000 (UTC)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    dtucker@dodgy.net.au (Darren Tucker) writes:
    >Neil W Rickert <rickert+nn@cs.niu.edu> wrote:
    >>dtucker@dodgy.net.au (Darren Tucker) writes:
    >>>What is this required for? PAM/AFS?

    >>It is needed for establishing NISPLUS credentials and for secure NFS.
    >>There are many solaris sites that depend on this.

    >I'd like to understand what's going on in this case (I have a reasonable
    >idea, and I have a couple of ideas for solving it, but none of them are
    >easy).

    Here's an overview.

    A user has a public/private keypair in nisplus. The private key
    is encrypted with the user login password.

    The command "keylogin" asks for the user password, decrypts the
    private key, then registers credentials with the running "keyserv"
    daemon. These credentials are required for certain operations,
    including the authentication of secure NFS access requests. The
    command "keylogout" tells the "keyserv" daemon to discard these
    credentials.

    Typically, a user only needs the equivalent of "keylogin" once per
    reboot, although a security conscious user might "keylogout" whenever
    logging out from the system.

    In normal use, a system login should do the "keylogin" on behalf of
    the user. This is where PAM is needed when logging in with ssh.

    It depends a little on how things are setup. On the nisplus master
    server, and perhaps on some other systems, root is able to read the
    user's encrypted password (shadow data). However, if permissions are
    strict, then on client machines root does not have permission to read
    the shadow data.

    On such a client machine, the PAM routines must do the keylogin for
    the user, so that the user can then read the shadow data. This allow
    login to work. On such a client machine, all works fine without
    "USE_POSIX_THREADS".

    However, on a server machine, where root can access the shadow data,
    the login works without needing a keylogin. In that case, the
    PAM routines authenticate the user without doing a keylogin. The
    keylogin should be done in the later call to pam_setcred() .
    However, this can only work if there is preserved state information
    available between the various pam calls. Apparently this state
    information is not preserved unless sshd is built with
    "USE_POSIX_THREADS" defined.

       ------------

    >>Previous openssh versions linked using the needed "-R" flags, so that
    >>the runtime location of the openssl libraries is properly set in the
    >>binary. That does not happen with this release. I had to set
    >>"LD_RUN_PATH" before compiling, in order for that to work properly.

    >Does the configure option "--with-rpath" make a difference?

    Yes, that worked.

    I hadn't tried it before, since the output of "./configure --help"
    listed only "--without-rpath" and suggested that "--with-rpath" was
    the default.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (SunOS)

    iD8DBQFAQUj6vmGe70vHPUMRArGrAJ0aPJwZhc5R/TWf/dwD+MrpAdtPkwCeMtBa
    Yaj+QRNIDSUyMgd1pscXTEU=
    =3i/A
    -----END PGP SIGNATURE-----

  • Next message: Xanadu: "Re: remote ssh not closing after X program run"