[Bug 2408] New: Expose authentication information to PAM

Wed Jun 3 17:47:35 AEST 2015

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

            Bug ID: 2408
           Summary: Expose authentication information to PAM
           Product: Portable OpenSSH
           Version: -current
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dgy.jr92 at gmail.com

It would be beneficial if sshd could expose details about the
previously successful authentications to the loaded PAM modules when
PAM authentication is used (typically the last method in the chain).
E.g. sshd could set a PAM environment variable that holds the useful
information, like this:

SSH_USER_AUTH=hostbased RSA
SHA256:Iw75Ex+Re8WyIjqHEukxHtwz2weTFTBLPD2J9doYEfU, publickey CA
ED25519 SHA256:rLKEbjpoN2+kuMQB7EiPqaeHut65ZfSe/z1EaWtKEmk Cert ID
djm at mindrot.org Serial 27908739, password

This way, a smart PAM stack could make decisions based upon the
previously successful authentication methods and/or the supplied
credentials. For example, one might want to invoke different PAM
modules when the user has been successfully authenticated via GSS-API
than otherwise. (For more detailed description of my particular use
case, please check out:
http://serverfault.com/questions/690038/openssh-two-factor-authentication-combined-with-kerberos-public-key)

You can also find some rudimental, PoC code that shows what I've been
playing with as a start:
https://github.com/dgyuri92/openssh-portable/tree/f/pam_auth_list

For further questions about the idea, please feel free to contact me
via e-mail. Thanks a lot.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.