https://bugzilla.mindrot.org/show_bug.cgi?id=2548
--- Comment #1 from Tomas Kuthan <[email protected]> --- Created attachment 2796 --> https://bugzilla.mindrot.org/attachment.cgi?id=2796&action=edit Switch roles of monitor and auxiliar PAM process in PAM authentication. The proposed patch fixes this by switching the roles of the monitor and the auxiliary process when doing PAM authentication. In the new code the monitor will be the one calling pam_authenticate and pam_acct_mgmt (eventually blocking and calling callbacks), whereas the other process (callback child) will be sending messages to the client (either directly or through privsep child). The resulting code flow looks like this: (monitor) | fork --------------------------(privsep child) | | pam_start | | | fork ------- (callback child) | | | | pam_authenticate | | | | | pam_acct_mgmt | <--msgs--> | | | | pam_chauthtok | | | | | | X | | | | X | pam_setcred | pam_open_session | fork ------ (authenticated child) | | | setreuid(100) | | | fork ------- (future shell) | | | | | exec(bash) | | | | | X | | | X | pam_close_session | pam_setcred | pam_end | X When the monitor is done calling PAM functions, it sends the callback child a message relieving it from the duties. In response, the callback child sends back any state information required and exits. After that, the monitor resumes communication with the client. When privilege separation is off, passing state from the callback child back to the monitor is more tricky. The callback child has been communicating directly with the ssh client for PAM prompts and responses. When the monitor tries the resume the communication with the client, the packet state has already diverged. The child has sent several messages in between, and the client is expecting different sequence number, different state of crypto counters and so on. As a result, the child hangs up upon the first packet from the monitor after the exit of the callback child. To solve that, in the no privsep case, the callback child serializes the packet state before it exits, sends it over to the monitor, which restores the packet state. Now all the internal state matches and the ssh client does not hang up anymore. There is one corner case, where this does not work. When privilege separation has been turned off (not recommended, on by default) and compression has been set to 'zlib' (not recommended, '[email protected]' by default), passing the packet state from the callback child back to the monitor fails with a compression state error. In that case, the current patch prints an error message and sets compression from 'yes' to 'delayed'. Making it work even with 'early' compression is possible, but would require keeping compression state in memory shared between the monitor and the callback child. I believe supporting this undesired configuration is not worth the damage it would do to the code layers abstraction and the risks. The proposed patch also removes the code for UNSUPPORTED_POSIX_THREADS_HACK. Now that all PAM calls take place in a single process space, there is no need for thread support. As a nit, substring 'thread' has been removed from symbol names too. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
