Behaviour of OpenSSH while login as root and non-root account

Damien Miller djm at mindrot.org
Fri Feb 11 13:02:31 EST 2011


On Thu, 10 Feb 2011, gaurav gupta wrote:

>  Hello Friends,
> 
> I am writing a PAM module for SSH to enforce one more layer of
> authentication. For that I need terminal ID in close_session() and
> pam_sm_setcred() function in PAM module while OpenSSH hardcoded it "ssh". I
> made few changes in OpenSSh code so it can set terminal ID properly. These
> changes were :
> 
> added do_pam_set_tty() in session_pty_req(Session *s) function in session.c
> and added do_pam_set_tty() in mm_pty_allocate() function in monitor_wrap.c
> 
> It works fine for root and I get appropriate tty in pam_sm_cred() and
> pam_sm_close_session() function.
> 
> But using same code, when I try to ssh through a non root account I am
> getting tty in pam_sm_close_session() but not in pam_sm_cred(). I am not
> sure why ssh is behaving differently for root and non-root accounts.
> 
> Is there anything which triggers SSH behavior for root and non-root accounts
> or can anyone suggest me what can be wrong here. I have no idea how can I
> proceed and it would be great if someone can give me some pointers.

Yes, post-auth privilege separation is skipped for root users. See Niels'
paper for more details:

http://www.citi.umich.edu/u/provos/papers/privsep.pdf


More information about the openssh-unix-dev mailing list