Provide AcceptEnv variables to a Linux PAM module?
Ryan Cox
ryan_cox at byu.edu
Tue Oct 15 09:01:31 EST 2013
I've been looking for a while and can't figure out for sure if variables
allowed by AcceptEnv are readable by a PAM module. I looked through the
openssh source code and found a few calls to pam_putenv(), which looks
like the relevant call, but I don't see anything that would copy over
AcceptEnv variables. Am I correct that the variables are not available
to PAM? I'm guessing there are security implications to passing
arbitrary variables through to PAM but is there some other way I can do so?
The reason I ask is because I'm working with the SLURM resource manager
to monitor remote processes launched via ssh. It's not perfect, but I'm
using SendEnv and AcceptEnv to pass $SLURM_JOB_ID around. I want to run
a pam module or script that assigns sshd and its children to a
particular cgroup (based on $SLURM_JOB_ID) using a slurm API call. The
best solution I have found seems to be calling a script from
/etc/ssh/sshrc as the user (which can be negated by users creating
~/.sshrc). Is that the best option at the moment? Ideally we would do
this in PAM as root but it doesn't seem possible for now.
Ryan Cox
More information about the openssh-unix-dev
mailing list