openssh unix dev - Jan 2013 - PAM function ordering

Dear all,

I've been looking into hacking with some PAM modules, and thought I could
learn from the OpenSSH source (it's probably the closest thing to a
canonical cross-platform consumer of the API).

One thing I've noticed I don't understand though is how OpenSSH's
invocation of do_pam_session/setcred can work (in main of the process
forked in sshd.c). Ignoring privsep for the moment, if we're doing
challenge-response then pam_authenticate is happening in the PAM
"thread",
so the pam_h we call pam_setcred with isn't the one that we called
pam_authenticate with. The pam_h the main process is using at this stage
seems to be the one created in sshpam_init_authctx (or mm_init_auth_ctx
with privsep) and hasn't had pam_authenticate called on it, has it?

I've checked FreeBSD's pam_krb5 source, for example, and I can see that
it
uses pam_set/get_data to stash the krb5ccache between calls to
pam_authenticate and pam_setcred. I don't understand how OpenSSH carries
that data over from the "thread" back to the main process; I can only
see
the environment list being copied across.

I can also see that OpenSSH swallows all errors from pam_setcred if
pam_authenticate wasn't called, so clearly this isn't going to stop
connections. I remain confused though how the krb5 module in BSD could ever
have its setcred function called successfully by OpenSSH. Perhaps it's an
eccentric Kerberos implementation?

Similarly, I wonder if there are any known guidelines on how
pam_setcred(DESTROY) and pam_close_session are meant to be called, and if
there are any constraints in the order between to be portable?

Thanks ever so much for any clues you could give me. Hopefully I'm simply
missing something.

Nicholas

----------
Nicholas Wilson: nicholas at nicholaswilson.uk

On Sat, 19 Jan 2013, Nicholas Wilson wrote:
> Dear all,
> 
> I've been looking into hacking with some PAM modules, and thought I
could
> learn from the OpenSSH source (it's probably the closest thing to a
> canonical cross-platform consumer of the API).
Hmmm. We are probably not the best learning example for PAM, we're
probably more of a cautionary example of how PAM's API doesn't fit with
modern, privilege- minimising and separated applications.
> One thing I've noticed I don't understand though is how
OpenSSH's
> invocation of do_pam_session/setcred can work (in main of the process
> forked in sshd.c). Ignoring privsep for the moment, if we're doing
> challenge-response then pam_authenticate is happening in the PAM
"thread",
> so the pam_h we call pam_setcred with isn't the one that we called
> pam_authenticate with. The pam_h the main process is using at this stage
> seems to be the one created in sshpam_init_authctx (or mm_init_auth_ctx
> with privsep) and hasn't had pam_authenticate called on it, has it?
> 
> I've checked FreeBSD's pam_krb5 source, for example, and I can see
that it
> uses pam_set/get_data to stash the krb5ccache between calls to
> pam_authenticate and pam_setcred. I don't understand how OpenSSH
carries
> that data over from the "thread" back to the main process; I can
only see
> the environment list being copied across.
Right, anything that uses pam_get/set_data will break on OpenSSH. So
far we've accepted this as a price of keeping our PAM code sane and
easy to reason about. Various alternatives have been suggested, but all
have turned my sunglasses black.
> I can also see that OpenSSH swallows all errors from pam_setcred if
> pam_authenticate wasn't called, so clearly this isn't going to stop
> connections. I remain confused though how the krb5 module in BSD could ever
> have its setcred function called successfully by OpenSSH. Perhaps it's
an
> eccentric Kerberos implementation?
I think most people use the GSSAPI support in OpenSSH directly instead
of pam_krb5.
> Similarly, I wonder if there are any known guidelines on how
> pam_setcred(DESTROY) and pam_close_session are meant to be called, and if
> there are any constraints in the order between to be portable?
No, there are no guidelines for most of PAM. That's part of the problem.

Darren has a list of problems with PAM at http://www.dtucker.net/pam/

-d