[Bug 3370] New: pam_ssh_agent_auth - passing wrong username argument when used in /etc/pam.d/su-l
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Dec 10 02:33:50 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3370
Bug ID: 3370
Summary: pam_ssh_agent_auth - passing wrong username argument
when used in /etc/pam.d/su-l
Product: Portable OpenSSH
Version: 8.8p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: neilmw1 at gmail.com
Tested on several versions from 8.8p1 right back to 7.4p1 and on
different distros (RHEL, Ubuntu)
Issue: If you use su - <username> to elevate privileges when using the
auth suffucient pam_ssh_agent_auth .so
authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys parameters
within /etc/pam.d/su-l it passes the logged on username instead of the
user to be elevated to. The result of this is the wrong public key is
returned by sss_ssh_authorizedkeys.
Debugging:
It seems to be specific to authorized_keys_command within pam_ssh_agent
as I've tried writing a simple bash script which outputs %u and that is
returning the wrong user. If you use file=/%h/%u/.ssh/authorized_keys
that does return the correct user which makes e think its specific to
the command.
Scenario:
User alice with standard privileges logs on from Windows using
pageant/PuttyCAC and has a smart card inserted. To do any superuser
commands, she has to elevate herself with su - adminalice.
- SSH connects fine
- Alice does su - adminalice <enter>
- Authentication starts processing but rejects the authentication by
smartcard (returns wrong smartcard inserted within Windows) and reverts
to password (the next line down in the pam.d file)
- When using "debug" in the pam.d/su-l file you can see the following
output in /var/log/secure or /var/log/auth.log:
pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand:
"/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument: "alice"
- This *should* read
pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand:
"/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument:
"adminalice"
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list