[Bug 3370] New: pam_ssh_agent_auth - passing wrong username argument when used in /etc/pam.d/su-l

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Dec 10 02:33:50 AEDT 2021 

https://bugzilla.mindrot.org/show_bug.cgi?id=3370

            Bug ID: 3370
           Summary: pam_ssh_agent_auth - passing wrong username argument
                    when used in /etc/pam.d/su-l
           Product: Portable OpenSSH
           Version: 8.8p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: neilmw1 at gmail.com

Tested on several versions from 8.8p1 right back to 7.4p1 and on
different distros (RHEL, Ubuntu)

Issue: If you use su - <username> to elevate privileges when using the
auth suffucient pam_ssh_agent_auth .so
authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys parameters
within /etc/pam.d/su-l it passes the logged on username instead of the
user to be elevated to.  The result of this is the wrong public key is
returned by sss_ssh_authorizedkeys.  

Debugging:
It seems to be specific to authorized_keys_command within pam_ssh_agent
as I've tried writing a simple bash script which outputs %u and that is
returning the wrong user.  If you use file=/%h/%u/.ssh/authorized_keys
that does return the correct user which makes e think its specific to
the command.

Scenario:

User alice with standard privileges logs on from Windows using
pageant/PuttyCAC and has a smart card inserted.  To do any superuser
commands, she has to elevate herself with su - adminalice.

- SSH connects fine
- Alice does su - adminalice <enter>
- Authentication starts processing but rejects the authentication by
smartcard (returns wrong smartcard inserted within Windows) and reverts
to password (the next line down in the pam.d file)

- When using "debug" in the pam.d/su-l file you can see the following
output in /var/log/secure or /var/log/auth.log:
pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand:
"/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument: "alice"

- This *should* read
pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand:
"/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument:
"adminalice"

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list