Bugtraq mailing list archives
Re: pam session
From: Pawel Krawczyk <kravietz () aba krakow pl>
Date: Sat, 23 Jun 2001 10:13:41 +0200
On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote:
This is espacially anoying if you use pam_limits.so to set rlimits. Every user could cirrcumvent them easily by calling ssh in this way: ssh user@server /bin/sh
The same problem was present in SSH 1.2.x some time ago and I've created a patch to fix it (http://ceti.pl/~kravietz/prog.html). PAM session start had to be called from two procedures (one for interactive, one for non-interactive login), and then closed. The latter required keeping session state in some variable all over the login time and it created several problems how to do this in a nice and secure way. In general, using the PAM session management required much more effort than other authentication methods and it was simply skipped by the developers. However, I don't remember exact details and many things could have changed in recent PAM versions.
Current thread:
- pam session Christian Kraemer (Jun 22)
- Re: pam session Pawel Krawczyk (Jun 24)
- Re: pam session Greg Woods (Jun 24)
- Re: pam session Jim Breton (Jun 24)