pam_get_data() can get data when using in SSHD

Discussion:

Ian jonhson

2007-09-26 05:08:15 UTC

Hi all,

I met a problem when using the pam_set_data()/pam_get_data() to pass
data between PAM hooks. The two functions are ok when I tested my PAM
module with a simple PAM-aware application, in which data (string
type) can be exchanged between different PAM hooks. However, when I
plug it in SSHD as a authentication module, the pam_get_data() said it
can not get data from a given name, which is used to set data by
pam_set_data().

I don't know what is wrong with PAM module. The simple PAM-aware
application written by me is just a process and one thread, whereas
SSHD forked several threads. So I guessed maybe the difference
between them is that PAM module is loaded by different SSHD threads.
This makes pam_get_data() in one of thread can not get data from
pam_set_data() of another thread. For example, SSHD forked a thread1
to do authentication, which call the hook in PAM module, and set data
by pam_set_data(). Then another thread, thread2, forked by SSHD wants
to get that data by pam_get_data() before opening session. Since they
owned different thread spaces, data can be passed from thread1 to
thread2. I don't know whether my analysis is right. Maybe some one
can share his/her brain with me.

If above analysis is correct, what I can do to deal with it? Could
anybody give me some advices?

Thanks in advances.

Best Regards,

Iam

Ian jonhson

2007-09-26 05:12:26 UTC

Permalink

Darren Tucker

2007-09-26 05:23:49 UTC

Permalink

Post by Ian jonhson
Hi all,
I met a problem when using the pam_set_data()/pam_get_data() to pass
data between PAM hooks. The two functions are ok when I tested my PAM
module with a simple PAM-aware application, in which data (string
type) can be exchanged between different PAM hooks. However, when I
plug it in SSHD as a authentication module, the pam_get_data() said it
can not get data from a given name, which is used to set data by
pam_set_data().
I don't know what is wrong with PAM module. The simple PAM-aware
application written by me is just a process and one thread, whereas
SSHD forked several threads. So I guessed maybe the difference
between them is that PAM module is loaded by different SSHD threads.
This makes pam_get_data() in one of thread can not get data from
pam_set_data() of another thread. For example, SSHD forked a thread1
to do authentication, which call the hook in PAM module, and set data
by pam_set_data(). Then another thread, thread2, forked by SSHD wants
to get that data by pam_get_data() before opening session. Since they
owned different thread spaces, data can be passed from thread1 to
thread2. I don't know whether my analysis is right. Maybe some one
can share his/her brain with me.
If above analysis is correct, what I can do to deal with it? Could
anybody give me some advices?

If you're using OpenSSH then your analysis is more or less correct, except
that by default, sshd's authentication "thread" is actually a process and
thus has its own address space.

See https://bugzilla.mindrot.org/show_bug.cgi?id=688 for details.

Changing this is not trivial (although the patch from David Leonard
in that bug looks promising).

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Ian jonhson

2007-09-26 06:00:25 UTC

Permalink

Thank you very much for your answering.

However, if I have to pass some data from authentication hook of PAM
to other hooks, what should I do? As you have said, sshd's
authentication process has its own address space and PAM's
authentication hook would be called in this space. That means my PAM
module will be called at least two times, one is in SSHD's
authentication process and others will be SSHD's other processes. Is
it still possible to pass data from PAM authentication hook to other
hooks by pam_set_data() and pam_get_data() ? What should I do?

Post by Darren Tucker
If you're using OpenSSH then your analysis is more or less correct, except
that by default, sshd's authentication "thread" is actually a process and
thus has its own address space.
See https://bugzilla.mindrot.org/show_bug.cgi?id=688 for details.

Darren Tucker

2007-09-26 11:53:26 UTC

Permalink

Post by Ian jonhson
Thank you very much for your answering.
However, if I have to pass some data from authentication hook of PAM
to other hooks, what should I do? As you have said, sshd's
authentication process has its own address space and PAM's
authentication hook would be called in this space. That means my PAM
module will be called at least two times, one is in SSHD's
authentication process and others will be SSHD's other processes. Is
it still possible to pass data from PAM authentication hook to other
hooks by pam_set_data() and pam_get_data() ? What should I do?

It's something that needs to be fixed in sshd, unfortunately there's not
a lot you can do in a PAM module other than implementing some form of
external storage for the items in question.

On the sshd side, you can build OpenSSH with "./configure
--with-cflags=-DUNSUPPORTED_POSIX_THREADS_HACK" which will use POSIX
threads rather than processes (however sshd is not thread-safe, and
there's no guarantee that a given PAM module is either so while it will
probably work, but there's no guarantee) or you can try David Leonard's
patch from the bug (which looks like a better solution although I've not
tested it myself).

Ian jonhson

2007-09-26 05:19:39 UTC

Permalink