PAM not run in single address space
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Debian) |
Fix Released
|
Unknown
|
|||
openssh (Ubuntu) |
Fix Released
|
High
|
Colin Watson |
Bug Description
Automatically imported from Debian bug report #278394 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 13:43:51 -0400
From: Sam Hartman <email address hidden>
To: <email address hidden>
Subject: PAM not run in single address space
--=-=-=
package: ssh
severity: serious
justification: breaks unrelated packages; violation of pam mini-policy
tags: sarge, sid, patch
Hi. During the ssh 3.7 and 3.8 porting effort I pointed out on
debian-ssh that you needed to be aware of issues surrounding PAM
support in openssh starting with 3.7.
The problem is that the fine folks at openssh had some trouble with
their event loop and decided to spin the pam authentication stuff off
into its own process. This is bad because it breaks pam in several
ways. The primary way is the same authentication handle is not used
for both the pam_authenticate vs pam_open_
This is bad because it prevents pam modules from setting up
credentials and writing them out/enabling them during the set_cred
phase.
It breaks several pam modules, most notably from my standpoint
pam_krb5. It's also a violation of how PAM is intended to be used.
For this reason it is a violation of the Debian PAM mini-policy found
in /usr/share/
The OpenSSH folks did provide a fix: the -DUSE_POSIX_THREADS compiler
option. Unfortunately this is disabled in the ssh package.
Here's a patch to fix this. I consider this problem fairly serious
and hope we can come to quick agreement on a solution for sarge.
-------
r228: hartmans | 2004-10-
Enable posix threads for pam so everything is in one address space
-------
=== trunk/openssh-
=======
--- trunk/openssh-
+++ trunk/openssh-
@@ -64,10 +64,10 @@
mkdir -p build-deb
(cd build-deb && ../configure --prefix=/usr --sysconfdir=
--with-
- --disable-strip)
+ --disable-strip --with-
# Some 2.2 kernels have trouble with setres[ug]id() (bug #239999).
perl -pi -e 's/.*#undef (BROKEN_
- $(MAKE) -C build-deb -j 2 ASKPASS_
+ $(MAKE) -C build-deb -j 2 ASKPASS_
touch build-deb-st...
In Debian Bug tracker #278394, Colin Watson (cjwatson) wrote : Re: Bug#278394: PAM not run in single address space | #3 |
On Tue, Oct 26, 2004 at 01:43:51PM -0400, Sam Hartman wrote:
> Hi. During the ssh 3.7 and 3.8 porting effort I pointed out on
> debian-ssh that you needed to be aware of issues surrounding PAM
> support in openssh starting with 3.7.
>
> The problem is that the fine folks at openssh had some trouble with
> their event loop and decided to spin the pam authentication stuff off
> into its own process. This is bad because it breaks pam in several
> ways. The primary way is the same authentication handle is not used
> for both the pam_authenticate vs pam_open_
>
> This is bad because it prevents pam modules from setting up
> credentials and writing them out/enabling them during the set_cred
> phase.
>
> It breaks several pam modules, most notably from my standpoint
> pam_krb5. It's also a violation of how PAM is intended to be used.
> For this reason it is a violation of the Debian PAM mini-policy found
> in /usr/share/
>
>
> The OpenSSH folks did provide a fix: the -DUSE_POSIX_THREADS compiler
> option. Unfortunately this is disabled in the ssh package.
>
> Here's a patch to fix this. I consider this problem fairly serious
> and hope we can come to quick agreement on a solution for sarge.
I'm willing to consider this for sarge, but will have to test it fairly
extensively. Can you outline any possible breakage that I should look
out for? It seems improbable that nothing at all would go wrong with
such a fundamental change.
I'm a little worried about a recurrence of #252676, for instance.
Thanks,
--
Colin Watson [<email address hidden>]
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Wed, 27 Oct 2004 01:40:46 +0100
From: Colin Watson <email address hidden>
To: Sam Hartman <email address hidden>, <email address hidden>
Subject: Re: Bug#278394: PAM not run in single address space
On Tue, Oct 26, 2004 at 01:43:51PM -0400, Sam Hartman wrote:
> Hi. During the ssh 3.7 and 3.8 porting effort I pointed out on
> debian-ssh that you needed to be aware of issues surrounding PAM
> support in openssh starting with 3.7.
>
> The problem is that the fine folks at openssh had some trouble with
> their event loop and decided to spin the pam authentication stuff off
> into its own process. This is bad because it breaks pam in several
> ways. The primary way is the same authentication handle is not used
> for both the pam_authenticate vs pam_open_
>
> This is bad because it prevents pam modules from setting up
> credentials and writing them out/enabling them during the set_cred
> phase.
>
> It breaks several pam modules, most notably from my standpoint
> pam_krb5. It's also a violation of how PAM is intended to be used.
> For this reason it is a violation of the Debian PAM mini-policy found
> in /usr/share/
>
>
> The OpenSSH folks did provide a fix: the -DUSE_POSIX_THREADS compiler
> option. Unfortunately this is disabled in the ssh package.
>
> Here's a patch to fix this. I consider this problem fairly serious
> and hope we can come to quick agreement on a solution for sarge.
I'm willing to consider this for sarge, but will have to test it fairly
extensively. Can you outline any possible breakage that I should look
out for? It seems improbable that nothing at all would go wrong with
such a fundamental change.
I'm a little worried about a recurrence of #252676, for instance.
Thanks,
--
Colin Watson [<email address hidden>]
In Debian Bug tracker #278394, Sam Hartman (hartmans) wrote : | #5 |
I think this use of threads is relatively safe.
Basically as I understand it, threads are used to allow the event loop
to run while holding for pam conversation functions.
Likely ways such a design could break:
* Allowing the pam authentication thread to escape and somehow getting into the rest of the code
* Allowing two pam threads to exist
* failing to cleanup the pam thread
* Having some interaction where a PAM module or one of its
dependencies detects that it is running in a threaded application
and changes its behavior.
I think all of these are unlikely. I'd be happy to audit the code to
give a better risk description. I'll assume such an audit would be
welcome and start working on it.
In many ways I think using threads simplifies the code. Note for
example that #252676 could not have happened with threads enabled.
--Sam
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Wed, 27 Oct 2004 13:47:12 -0400
From: Sam Hartman <email address hidden>
To: Colin Watson <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#278394: PAM not run in single address space
I think this use of threads is relatively safe.
Basically as I understand it, threads are used to allow the event loop
to run while holding for pam conversation functions.
Likely ways such a design could break:
* Allowing the pam authentication thread to escape and somehow getting into the rest of the code
* Allowing two pam threads to exist
* failing to cleanup the pam thread
* Having some interaction where a PAM module or one of its
dependencies detects that it is running in a threaded application
and changes its behavior.
I think all of these are unlikely. I'd be happy to audit the code to
give a better risk description. I'll assume such an audit would be
welcome and start working on it.
In many ways I think using threads simplifies the code. Note for
example that #252676 could not have happened with threads enabled.
--Sam
In Debian Bug tracker #278394, Sam Hartman (hartmans) wrote : | #7 |
Hi.
I just wanted to let you know that I have done an audit of the thread
code in auth-pam.c.
This is the simplest use of threads I've ever seen outside of a
classroom exercise.
The authentication thread is self contained and I don't see how it
could manage to escape into other parts of the program. Similarly,
the process managed is significantly simplified in the threads case
compared to the non-threads case.
Short of a libc bug or a misbehaving PAM module I would be surprised
if this code introduces any problems.
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Fri, 29 Oct 2004 10:38:03 -0400
From: Sam Hartman <email address hidden>
To: Colin Watson <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#278394: PAM not run in single address space
Hi.
I just wanted to let you know that I have done an audit of the thread
code in auth-pam.c.
This is the simplest use of threads I've ever seen outside of a
classroom exercise.
The authentication thread is self contained and I don't see how it
could manage to escape into other parts of the program. Similarly,
the process managed is significantly simplified in the threads case
compared to the non-threads case.
Short of a libc bug or a misbehaving PAM module I would be surprised
if this code introduces any problems.
In Debian Bug tracker #278394, Colin Watson (cjwatson) wrote : | #9 |
On Fri, Oct 29, 2004 at 10:38:03AM -0400, Sam Hartman wrote:
> I just wanted to let you know that I have done an audit of the thread
> code in auth-pam.c.
>
> This is the simplest use of threads I've ever seen outside of a
> classroom exercise.
>
> The authentication thread is self contained and I don't see how it
> could manage to escape into other parts of the program. Similarly,
> the process managed is significantly simplified in the threads case
> compared to the non-threads case.
>
>
> Short of a libc bug or a misbehaving PAM module I would be surprised
> if this code introduces any problems.
OK, that's fairly conclusive; thanks. I've committed your patch, with
the additional change that I arranged for only sshd to be linked against
libpthread, since only sshd includes auth-pam.c; that seemed like a less
risky course.
I'll upload once Steve has reviewed the current version of openssh in
unstable and (I hope) moved it into testing.
Cheers,
--
Colin Watson [<email address hidden>]
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Mon, 1 Nov 2004 18:49:55 +0000
From: Colin Watson <email address hidden>
To: Sam Hartman <email address hidden>, <email address hidden>
Subject: Re: Bug#278394: PAM not run in single address space
On Fri, Oct 29, 2004 at 10:38:03AM -0400, Sam Hartman wrote:
> I just wanted to let you know that I have done an audit of the thread
> code in auth-pam.c.
>
> This is the simplest use of threads I've ever seen outside of a
> classroom exercise.
>
> The authentication thread is self contained and I don't see how it
> could manage to escape into other parts of the program. Similarly,
> the process managed is significantly simplified in the threads case
> compared to the non-threads case.
>
>
> Short of a libc bug or a misbehaving PAM module I would be surprised
> if this code introduces any problems.
OK, that's fairly conclusive; thanks. I've committed your patch, with
the additional change that I arranged for only sshd to be linked against
libpthread, since only sshd includes auth-pam.c; that seemed like a less
risky course.
I'll upload once Steve has reviewed the current version of openssh in
unstable and (I hope) moved it into testing.
Cheers,
--
Colin Watson [<email address hidden>]
In Debian Bug tracker #278394, Colin Watson (cjwatson) wrote : Bug#278394: fixed in openssh 1:3.8.1p1-8.sarge.3 | #11 |
Source: openssh
Source-Version: 1:3.8.1p1-8.sarge.3
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-
to pool/main/
openssh-
to pool/main/
openssh_
to pool/main/
openssh_
to pool/main/
ssh-askpass-
to pool/main/
ssh_3.8.
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 12 Nov 2004 10:31:12 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-8.sarge.3
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
openssh-
openssh-
ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 278394 278715 280190
Changes:
openssh (1:3.8.
.
* Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
* debconf template translations:
- Update Dutch (thanks, cobaco; closes: #278715).
* Correct README.Debian's ForwardX11Trusted description (closes: #280190).
Files:
623fbfd12873e2
22fa5b7b3232bd
5aa5c9399f9075
38b147f7447e86
8045bed8de34e0
93eadd0ce5c675
-----BEGIN PGP SIGNATURE----- iD8DBQFBlJdR9t0
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <email address hidden> -- Debian developer
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <email address hidden>
Date: Fri, 12 Nov 2004 06:32:17 -0500
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: Bug#278394: fixed in openssh 1:3.8.1p1-8.sarge.3
Source: openssh
Source-Version: 1:3.8.1p1-8.sarge.3
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-
to pool/main/
openssh-
to pool/main/
openssh_
to pool/main/
openssh_
to pool/main/
ssh-askpass-
to pool/main/
ssh_3.8.
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 12 Nov 2004 10:31:12 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-8.sarge.3
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
openssh-
openssh-
ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 278394 278715 280190
Changes:
openssh (1:3.8.
.
* Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
* debconf template translations:
- Update Dutch (thanks, cobaco; closes: #278715).
* Correct README.Debian's ForwardX11Trusted description (closes: #280190).
Files:
623fbfd12873e2
22fa5b7b3232bd
5aa5c9399f9075
38b147f7447e86
8045bed8de34e0
93eadd0ce5c675
Colin Watson (cjwatson) wrote : | #13 |
openssh (1:3.8.
* Resynchronise with Debian.
-- Colin Watson <email address hidden> Fri, 12 Nov 2004 13:06:45 +0000
openssh (1:3.8.1p1-13) experimental; urgency=low
* Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
* debconf template translations:
- Update Dutch (thanks, cobaco; closes: #278715).
* Correct README.Debian's ForwardX11Trusted description (closes: #280190).
-- Colin Watson <email address hidden> Fri, 12 Nov 2004 12:03:13 +0000
In Debian Bug tracker #278394, Colin Watson (cjwatson) wrote : Fixed in upload of openssh 1:3.8.1p1-13 to experimental | #14 |
tag 278394 + fixed-in-
tag 278715 + fixed-in-
tag 280190 + fixed-in-
quit
This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 12 Nov 2004 12:03:13 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:3.8.1p1-13
Distribution: experimental
Urgency: low
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
openssh-
openssh-server - Secure shell server, an rshd replacement
openssh-
ssh - Secure shell client and server (transitional package)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 278394 278715 280190
Changes:
openssh (1:3.8.1p1-13) experimental; urgency=low
.
* Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
* debconf template translations:
- Update Dutch (thanks, cobaco; closes: #278715).
* Correct README.Debian's ForwardX11Trusted description (closes: #280190).
Files:
b215321e3f6448
ea927b73244782
c04a8319ede140
099564a25dd894
7076b9dc533809
24fdafe9f89dda
cc45105a837fbb
f3bffea500ff50
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <email address hidden> -- Debian developer
iD8DBQFBlK3u9t0
qzJUv0g6HyyNPTt
=LfJi
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #15 |
Message-Id: <email address hidden>
Date: Fri, 12 Nov 2004 08:32:05 -0500
From: Colin Watson <email address hidden>
To: <email address hidden>
Cc: Colin Watson <email address hidden>, Matthew Vernon <email address hidden>
Subject: Fixed in upload of openssh 1:3.8.1p1-13 to experimental
tag 278394 + fixed-in-
tag 278715 + fixed-in-
tag 280190 + fixed-in-
quit
This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 12 Nov 2004 12:03:13 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:3.8.1p1-13
Distribution: experimental
Urgency: low
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
openssh-
openssh-server - Secure shell server, an rshd replacement
openssh-
ssh - Secure shell client and server (transitional package)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 278394 278715 280190
Changes:
openssh (1:3.8.1p1-13) experimental; urgency=low
.
* Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
* debconf template translations:
- Update Dutch (thanks, cobaco; closes: #278715).
* Correct README.Debian's ForwardX11Trusted description (closes: #280190).
Files:
b215321e3f6448
ea927b73244782
c04a8319ede140
099564a25dd894
7076b9dc533809
24fdafe9f89dda
cc45105a837fbb
f3bffea500ff50
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <email address hidden> -- Debian developer
iD8DBQFBlK3u9t0
qzJUv0g6HyyNPTt
=LfJi
-----END PGP SIGNATURE-----
Changed in openssh: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #278394 http:// bugs.debian. org/278394