On 23 Jul 2015, at 17:38, Marc Espie wrote:
Not surprisingly, as the patch clearly shows, the problem is right
smack
in the middle of USE_PAM code.
I wouldn't call that an OpenSSH bug. I would call it a systemic design
flaw
in PAM. As usual. LOTS of security holes in authentication systems
stem from
PAM. Why ? Because that stuff is over designed. Difficult to
configure. Gives
you MORE than you need to hang yourself several times over. It's been
that
way for as long as I can remember.
I recall discussing things with one of the authors of PAM, about ten
years
ago (forgive me for not remembering names at this point). What struck
me
is that it looks as if PAM wasn't designed to be secure. It's an
authentication
system, yet it's surprisingly easy to get it to fail open. Yet it's
complex
enough that there are bad interactions all over the place. Heck, you
have
to write software defensively if you want PAM to not fuck you over.
It happens that I'm setting up some new (to me) RHEL 7 systems right
now,
and way too much time has been spent fighting with PAM (and I'm not done
yet). So I'll energetically agree with everything Marc says here. Just
a few days ago I was talking with one of other systems-programmers here
at RPI saying how all of PAM should be ripped out and done over. We
happened to be talking about a different failure scenario, but it (PAM)
has always been a headache for me, almost every time I've dealt with it.
--
Garance Alistair Drosehn = dro...@rpi.edu
Senior Systems Programmer or g...@freebsd.org
Rensselaer Polytechnic Institute; Troy, NY; USA