[Bug 2408] Expose authentication information to PAM

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Nov 20 08:43:00 AEDT 2015 

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Vincent Brillault <git at lerya.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |git at lerya.net

--- Comment #1 from Vincent Brillault <git at lerya.net> ---
Created attachment 2754
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2754&action=edit
Expose successful auth methods via environments (pam and shell)

The attached patch exposes the authentication methods that were
successful during the authentication to PAM via a PAM environment
variable and to the child shell via an environment variable.

It is inspired from the PoC written by György Demarcsek and the
comments he received but uses a different architecture:
- Any Authmethod can fill a "last_details" variable in the Authctxt in
case of success. It should fill it with details about the credentials
(e.g. RSA fingerprint)
- After each success, userauth_finish at auth2.c aggregate the method used
plus, if existing, this data into a "auth_details" variable in the
Authctxt
- When creating a new PAM session, export "auth_details" as
"SSH_USER_AUTH"
- When creating a shell session, export "auth_details" as
"SSH_USER_AUTH", overriding if necessary the value coming from PAM
- Support Privilege Separation (in a somehow degraded form)

I've in fact written 8 atomic patches (aggregated into this one). They
are available, with some comments in the commit, on Github:
https://github.com/openssh/openssh-portable/compare/master...Feandil:master

This patch have been tested on a openssh-7.1p1 with the publickey and
keyboard-interactive methods and considering the following Privilege
Separation cases: Off, On, Sandbox (seccomp).

Some improvement could be build on top of this patch:
- Under Privilege Separation, expose details from key authentication
- In auth2-gss (in particular gss-serv-krb5) expose details about the
credentials (e.g. the kerberos principal)

However these improvement seem more complex and could maybe be added in
a later patch?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list