PAM not run in single address space

Automatically imported from Debian bug report #278394 http://bugs.debian.org/278394

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 13:43:51 -0400
From: Sam Hartman <email address hidden>
To: <email address hidden>
Subject: PAM not run in single address space

--=-=-=

package: ssh
severity: serious
justification: breaks unrelated packages; violation of pam mini-policy
tags: sarge, sid, patch

Hi. During the ssh 3.7 and 3.8 porting effort I pointed out on
debian-ssh that you needed to be aware of issues surrounding PAM
support in openssh starting with 3.7.

The problem is that the fine folks at openssh had some trouble with
their event loop and decided to spin the pam authentication stuff off
into its own process. This is bad because it breaks pam in several
ways. The primary way is the same authentication handle is not used
for both the pam_authenticate vs pam_open_session/pam_setcred.

This is bad because it prevents pam modules from setting up
credentials and writing them out/enabling them during the set_cred
phase.

It breaks several pam modules, most notably from my standpoint
pam_krb5. It's also a violation of how PAM is intended to be used.
For this reason it is a violation of the Debian PAM mini-policy found
in /usr/share/doc/libpam0g on all Debian systems.

The OpenSSH folks did provide a fix: the -DUSE_POSIX_THREADS compiler
option. Unfortunately this is disabled in the ssh package.

Here's a patch to fix this. I consider this problem fairly serious
and hope we can come to quick agreement on a solution for sarge.

----------------------------------------------------------------------
r228: hartmans | 2004-10-26T17:36:39.333006Z

Enable posix threads for pam so everything is in one address space
----------------------------------------------------------------------
=== trunk/openssh-krb5/debian/rules
==================================================================
--- trunk/openssh-krb5/debian/rules (revision 227)
+++ trunk/openssh-krb5/debian/rules (revision 228)
@@ -64,10 +64,10 @@
  mkdir -p build-deb
  (cd build-deb && ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 \
   --with-privsep-path=/var/run/sshd --without-rand-helper --with-kerberos5=/usr --with-kerberos4=/usr \
- --disable-strip)
+ --disable-strip --with-ldflags='-pthread' )
  # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999).
  perl -pi -e 's/.*#undef (BROKEN_SETRES[UG]ID).*/#define $$1 1/' build-deb/config.h
- $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_VERSION="\"$(SSH_VERSION)\""' SSH_KEYSIGN='/usr/lib/ssh-keysign'
+ $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -DUSE_POSIX_THREADS -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_VERSION="\"$(SSH_VERSION)\""' SSH_KEYSIGN='/usr/lib/ssh-keysign'

  touch build-deb-st...

Message-ID: <email address hidden>
Date: Wed, 27 Oct 2004 01:40:46 +0100
From: Colin Watson <email address hidden>
To: Sam Hartman <email address hidden>, <email address hidden>
Subject: Re: Bug#278394: PAM not run in single address space

On Tue, Oct 26, 2004 at 01:43:51PM -0400, Sam Hartman wrote:
> Hi. During the ssh 3.7 and 3.8 porting effort I pointed out on
> debian-ssh that you needed to be aware of issues surrounding PAM
> support in openssh starting with 3.7.
>
> The problem is that the fine folks at openssh had some trouble with
> their event loop and decided to spin the pam authentication stuff off
> into its own process. This is bad because it breaks pam in several
> ways. The primary way is the same authentication handle is not used
> for both the pam_authenticate vs pam_open_session/pam_setcred.
>
> This is bad because it prevents pam modules from setting up
> credentials and writing them out/enabling them during the set_cred
> phase.
>
> It breaks several pam modules, most notably from my standpoint
> pam_krb5. It's also a violation of how PAM is intended to be used.
> For this reason it is a violation of the Debian PAM mini-policy found
> in /usr/share/doc/libpam0g on all Debian systems.
>
>
> The OpenSSH folks did provide a fix: the -DUSE_POSIX_THREADS compiler
> option. Unfortunately this is disabled in the ssh package.
>
> Here's a patch to fix this. I consider this problem fairly serious
> and hope we can come to quick agreement on a solution for sarge.

I'm willing to consider this for sarge, but will have to test it fairly
extensively. Can you outline any possible breakage that I should look
out for? It seems improbable that nothing at all would go wrong with
such a fundamental change.

I'm a little worried about a recurrence of #252676, for instance.

Thanks,

--
Colin Watson [<email address hidden>]

Message-ID: <email address hidden>
Date: Wed, 27 Oct 2004 13:47:12 -0400
From: Sam Hartman <email address hidden>
To: Colin Watson <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#278394: PAM not run in single address space

I think this use of threads is relatively safe.

Basically as I understand it, threads are used to allow the event loop
to run while holding for pam conversation functions.

Likely ways such a design could break:

* Allowing the pam authentication thread to escape and somehow getting into the rest of the code
* Allowing two pam threads to exist
* failing to cleanup the pam thread
* Having some interaction where a PAM module or one of its
  dependencies detects that it is running in a threaded application
  and changes its behavior.

I think all of these are unlikely. I'd be happy to audit the code to
give a better risk description. I'll assume such an audit would be
welcome and start working on it.

In many ways I think using threads simplifies the code. Note for
example that #252676 could not have happened with threads enabled.

--Sam

Message-ID: <email address hidden>
Date: Fri, 29 Oct 2004 10:38:03 -0400
From: Sam Hartman <email address hidden>
To: Colin Watson <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#278394: PAM not run in single address space

Hi.

I just wanted to let you know that I have done an audit of the thread
code in auth-pam.c.

This is the simplest use of threads I've ever seen outside of a
classroom exercise.

The authentication thread is self contained and I don't see how it
could manage to escape into other parts of the program. Similarly,
the process managed is significantly simplified in the threads case
compared to the non-threads case.

Short of a libc bug or a misbehaving PAM module I would be surprised
if this code introduces any problems.

Message-ID: <email address hidden>
Date: Mon, 1 Nov 2004 18:49:55 +0000
From: Colin Watson <email address hidden>
To: Sam Hartman <email address hidden>, <email address hidden>
Subject: Re: Bug#278394: PAM not run in single address space

On Fri, Oct 29, 2004 at 10:38:03AM -0400, Sam Hartman wrote:
> I just wanted to let you know that I have done an audit of the thread
> code in auth-pam.c.
>
> This is the simplest use of threads I've ever seen outside of a
> classroom exercise.
>
> The authentication thread is self contained and I don't see how it
> could manage to escape into other parts of the program. Similarly,
> the process managed is significantly simplified in the threads case
> compared to the non-threads case.
>
>
> Short of a libc bug or a misbehaving PAM module I would be surprised
> if this code introduces any problems.

OK, that's fairly conclusive; thanks. I've committed your patch, with
the additional change that I arranged for only sshd to be linked against
libpthread, since only sshd includes auth-pam.c; that seemed like a less
risky course.

I'll upload once Steve has reviewed the current version of openssh in
unstable and (I hope) moved it into testing.

Cheers,

--
Colin Watson [<email address hidden>]

Message-Id: <email address hidden>
Date: Fri, 12 Nov 2004 06:32:17 -0500
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: Bug#278394: fixed in openssh 1:3.8.1p1-8.sarge.3

Source: openssh
Source-Version: 1:3.8.1p1-8.sarge.3

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_3.8.1p1-8.sarge.3_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_3.8.1p1-8.sarge.3_powerpc.udeb
openssh-server-udeb_3.8.1p1-8.sarge.3_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_3.8.1p1-8.sarge.3_powerpc.udeb
openssh_3.8.1p1-8.sarge.3.diff.gz
  to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.3.diff.gz
openssh_3.8.1p1-8.sarge.3.dsc
  to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.3.dsc
ssh-askpass-gnome_3.8.1p1-8.sarge.3_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-8.sarge.3_powerpc.deb
ssh_3.8.1p1-8.sarge.3_powerpc.deb
  to pool/main/o/openssh/ssh_3.8.1p1-8.sarge.3_powerpc.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 12 Nov 2004 10:31:12 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-8.sarge.3
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 278394 278715 280190
Changes:
 openssh (1:3.8.1p1-8.sarge.3) unstable; urgency=low
 .
   * Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
   * debconf template translations:
     - Update Dutch (thanks, cobaco; closes: #278715).
   * Correct README.Debian's ForwardX11Trusted description (closes: #280190).
Files:
 623fbfd12873e27ba874ca02a6f64bab 906 net standard openssh_3.8.1p1-8.sarge.3.dsc
 22fa5b7b3232bd7f583be97a54aaf4f6 156186 net standard openssh_3.8.1p1-8.sarge.3.diff.gz
 5aa5c9399f90758219e623f3788ba16c 737112 net standard ssh_3.8.1p1-8.sarge.3_powerpc.deb
 38b147f7447e86bceafb4af4c759fdea 52588 gnome optional ssh-askpass-gnome_3.8.1p1-8.sarge.3_powerpc.deb
 8045bed8de34e0596061b5c1b6835acd 151070 debian-installer optional openssh-client-udeb_3.8.1p1-8.sarge.3_powerpc.udeb
 93eadd0ce5c675889492d618573f2fd5 160042 debian-installer optional op...

openssh (1:3.8.1p1-13ubuntu1) hoary; urgency=low

  * Resynchronise with Debian.

 -- Colin Watson <email address hidden> Fri, 12 Nov 2004 13:06:45 +0000

openssh (1:3.8.1p1-13) experimental; urgency=low

  * Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
  * debconf template translations:
    - Update Dutch (thanks, cobaco; closes: #278715).
  * Correct README.Debian's ForwardX11Trusted description (closes: #280190).

 -- Colin Watson <email address hidden> Fri, 12 Nov 2004 12:03:13 +0000

Message-Id: <email address hidden>
Date: Fri, 12 Nov 2004 08:32:05 -0500
From: Colin Watson <email address hidden>
To: <email address hidden>
Cc: Colin Watson <email address hidden>, Matthew Vernon <email address hidden>
Subject: Fixed in upload of openssh 1:3.8.1p1-13 to experimental

tag 278394 + fixed-in-experimental
tag 278715 + fixed-in-experimental
tag 280190 + fixed-in-experimental

quit

This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 12 Nov 2004 12:03:13 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:3.8.1p1-13
Distribution: experimental
Urgency: low
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
 openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server - Secure shell server, an rshd replacement
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh - Secure shell client and server (transitional package)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 278394 278715 280190
Changes:
 openssh (1:3.8.1p1-13) experimental; urgency=low
 .
   * Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
   * debconf template translations:
     - Update Dutch (thanks, cobaco; closes: #278715).
   * Correct README.Debian's ForwardX11Trusted description (closes: #280190).
Files:
 b215321e3f6448a84d5051dcd219b634 924 net standard openssh_3.8.1p1-13.dsc
 ea927b7324478243f29934debb40fb51 146312 net standard openssh_3.8.1p1-13.diff.gz
 c04a8319ede1408ef43ec04ebcd638b9 520808 net standard openssh-client_3.8.1p1-13_powerpc.deb
 099564a25dd894ee71e54a161dcf4eed 259684 net optional openssh-server_3.8.1p1-13_powerpc.deb
 7076b9dc533809eefe979b937dc39159 29822 net optional ssh_3.8.1p1-13_all.deb
 24fdafe9f89dda60420557ee2757626d 54214 gnome optional ssh-askpass-gnome_3.8.1p1-13_powerpc.deb
 cc45105a837fbb7ecf3c8f66b55e777b 151048 debian-installer optional openssh-client-udeb_3.8.1p1-13_powerpc.udeb
 f3bffea500ff50549e83deb5ec3a1747 160038 debian-installer optional openssh-server-udeb_3.8.1p1-13_powerpc.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <email address hidden> -- Debian developer

iD8DBQFBlK3u9t0zAhD6TNERAocnAJ9A6cRGrDeK6EZWPTqray8gw79BMwCfc2Ct
qzJUv0g6HyyNPTtZbBKvh04=
=LfJi
-----END PGP SIGNATURE-----