[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_get_data() can get data when using in SSHD

On Wed, Sep 26, 2007 at 01:12:26PM +0800, Ian jonhson wrote:
> Hi all,
> I met a problem when using the pam_set_data()/pam_get_data() to pass
> data between PAM hooks. The two functions are ok when I tested my PAM
> module with a simple PAM-aware application, in which data  (string
> type) can be exchanged between different PAM hooks. However, when I
> plug it in SSHD as a authentication module, the pam_get_data() said it
> can not get data from a given name, which is used to set data by
> pam_set_data().
> I don't know what is wrong with PAM module. The simple PAM-aware
> application written by me is just a process and one thread, whereas
> SSHD  forked several threads. So I guessed maybe the difference
> between them is that PAM module is loaded by different SSHD threads.
> This makes pam_get_data() in one of thread can not get data from
> pam_set_data() of another thread. For example, SSHD forked a thread1
> to do authentication, which call the hook in PAM module, and set data
> by pam_set_data().  Then another thread, thread2, forked by SSHD wants
> to get  that data by pam_get_data() before opening session. Since they
> owned different thread spaces, data can be passed from thread1 to
> thread2.  I don't know whether my analysis is right. Maybe some one
> can share his/her brain with me.
> If above analysis is correct, what I can do to deal with it? Could
> anybody give me some advices?

If you're using OpenSSH then your analysis is more or less correct, except
that by default, sshd's authentication "thread" is actually a process and
thus has its own address space.

See https://bugzilla.mindrot.org/show_bug.cgi?id=688 for details.

Changing this is not trivial (although the patch from David Leonard
in that bug looks promising).

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]