Damien Miller wrote: > Another thing we're considering in OpenSSH is changing how we integrate > with PAM. PAM's API demands loading modules into the authenticating > process' address space, but obviously we've just been reminded that this > is risky. This was a long-standing problem with pam/nss-ldap, which we solved by moving all of the actual libldap invocations to a separate nslcd process, and only communicated to it across a unix domain socket via stubs in the pam/nss modules. Mixing instances of libraries that applications call directly, with instances loaded implicitly by system-level mechanisms, was always a bad idea and caused endless problems, even without malicious attackers. > I think that I would prefer to move to a model where there PAM auth and > account modules run in a helper process, and only the session module > runs in the unprivileged post-auth sshd process. We could probably generalize the stub wrapping that we used for nss/pam-ldapd / nslcd to be a generic interface to a standalone pamd that actually loads the pam modules. Should be a simple job. > This means that PAM auth/account modules and their transitive library > dependencies cannot affect the sshd address space. They would still > likely need to run with privilege, could still fail permissively in > unwanted situations and might still be able to cause problems directly > (e.g. opening a reverse shell from the PAM module itself), but they > would no longer have direct access to the contents of sshd network > traffic, signatures, etc that are extremely useful in building NOBUS > (https://en.wikipedia.org/wiki/NOBUS) backdoors like the xv one. > > Where this gets challenging is that some PAM modules make assumptions > that the auth, account and session modules all run in the same address > space. These would break until re-architected to pass things explicitly, > e.g. via environment variables, temp files, etc. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
