Subject: Re: PAM vulnerability in portable OpenSSH
To: None <dan@devonit.com>
From: Damien Miller <djm@mindrot.org>
List: current-users
Date: 09/24/2003 08:08:57
> Interesting quote:
>
> "Due to complexity, inconsistencies in the specification and differences
> between vendors' PAM implementations we recommend that PAM be left disabled
> in sshd_config unless there is a need for its use. Sites only using public
> key or simple password authentication usually have little need to enable PAM
> support."
>
> Slander? Don't think so.
It is only slander if it is false. Let's look at the charges:
1. Complexity - it is self-evident that PAM adds complexity to
login-like program's implementation. This is before one has to
take into account its horribly broken, non-interruptible
conversation function.
2. Inconsistencies in the specification - these have been documented
by a PAM implementor at http://www.openpam.org/errata.html If you like
reading vague specs, try reading the original PAM DCE RFC. This
vagueness contributed to one of the vulnerabilities mentioned.
3. Differences between vendors' implementations. Solaris PAM passes
message arguments differently to LinuxPAM and OpenPAM. Some PAM
implementations fatally break unless you set a PAM_TTY. There are
differences in how implementations respond to credential
(re-)initialisation and operation across different processes.
So I think that the recommendation to disable PAM unless you need it is
a conservative one. For sites that just use password or OpenSSH's native
authentication methods, the only thing that PAM really buys you is a
standard log message.
-d