pam_get_data() can get data when using in SSHD

Darren Tucker dtucker at zip.com.au
Wed Sep 26 11:53:26 UTC 2007


Ian jonhson wrote:
> Thank you very much for your answering.
> 
> However, if I have to pass some data from authentication hook of PAM
> to other hooks, what should I do? As you have said, sshd's
> authentication process has its own address space and PAM's
> authentication hook would be called in this space. That means my PAM
> module will be called at least two times, one is in SSHD's
> authentication process and others will be SSHD's other processes. Is
> it still possible to pass data from PAM authentication hook to other
> hooks by pam_set_data() and pam_get_data() ? What should I do?

It's something that needs to be fixed in sshd, unfortunately there's not
a lot you can do in a PAM module other than implementing some form of
external storage for the items in question.

On the sshd side, you can build OpenSSH with "./configure
--with-cflags=-DUNSUPPORTED_POSIX_THREADS_HACK" which will use POSIX
threads rather than processes (however sshd is not thread-safe, and
there's no guarantee that a given PAM module is either so while it will
probably work, but there's no guarantee) or you can try David Leonard's
patch from the bug (which looks like a better solution although I've not
tested it myself).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the Pam-list mailing list