[Bug 1215] sshd requires entry from getpwnam for PAM accounts
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat May 19 11:21:24 EST 2007
http://bugzilla.mindrot.org/show_bug.cgi?id=1215
Jesse Zbikowski <embeddedlinuxguy at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |embeddedlinuxguy at gmail.com
--- Comment #7 from Jesse Zbikowski <embeddedlinuxguy at gmail.com> 2007-05-19 11:21:19 ---
Darren, thanks for this patch. I am using it to authenticate TACACS+
users using pam_tacplus. However I can't get it to do authorization in
a sane way.
The user mapping is done immediately after authentication. This means
I can't use TACACS+ for authorization. For my experiment, I hacked
pam_tacplus to set the PAM username to "op", which is a valid Unix
user, following authentication. When ssh then makes the authorization
request, it tries to authorize "op", which TACACS+ doesn't know about
-- rather than the original TACACS+ user. /etc/pam.d/ssh then falls
back to system-auth (in Fedora 5, this is basically pam_unix.so
passwd-based authorization). So the effect is, all authenticated
TACACS+ users get authorized, even if they don't have the desired
service/protocol a/v pairs. I believe the user mapping should be
performed as the last step, after pam_acct_mgmt() (i.e. authorization)
and pam_open_session() (i.e. accounting).
Worse: after authorizing "op" via system-auth, the PAM username gets
set to "root". Thus pam_open_session() is sending accounting data for
"root" to the TACACS+ server, and the user gets a root shell.
Presumably the username gets set to "root" by pam_unix.so.
To work around this, I patched pam-auth.c to store the mapped username
in an environment variable PAM_MAP_USER. Then after accounting, we
restore the mapped username. This works around the "root shell"
problem, though not the inability to authorize with TACACS+. Clearly
what I'm doing here is awful, but it illustrates the problem. I did
try to change pam-auth.c to defer user-mapping until after we open the
accounting session, but this seems to be non-trivial. Please advise on
the best approach from here.
Here is the debug output for sshd without my hack:
debug1: auth2_challenge: user=tacuser devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for tacuser from 192.168.0.104 port
37235 ssh2
debug1: sshpam_check_userchanged
debug1: PAM: user mapped from 'tacuser' to 'op'
debug1: PAM: user 'op' now valid
debug1: do_pam_account: called
debug1: sshpam_check_userchanged
debug1: PAM: got username 'root' from thread
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list