Working with PAM stages

Douglas E Engert deengert at gmail.com
Sat Aug 3 22:20:38 AEST 2019



On 8/1/2019 8:22 PM, Damien Miller wrote:
> On Thu, 1 Aug 2019, Carl Jenkins wrote:
> 
>> Hi,
>>
>> I’m trying to develop a PAM module with OpenSSH, and I realized I need to
>> retrieve something in a later stage that was saved in another previous
>> stage. As far as my tests on OpenSSH 7.6 go, the password auth route goes
>> through PAM auth, account, session, and the session stage is in a different
>> UNIX process from the process where auth and account take place. For the
>> key auth route, auth stage is bypassed in favor of the AuthorizedKeys or
>> AuthorizedKeysCommand (in its own process) mechanisms, while PAM account
>> and session stages are in the same process. Is this correct?
>>
>> I’m aware of https://bugzilla.mindrot.org/show_bug.cgi?id=2548, which
>> correspond to the password route. Key route doesn’t seem to agree with it.
>> Regardless, I haven’t seen fixes around it.
>>
>> And in either auth route, what do the two processes share uniquely for the
>> same login attempt, like a session ID that I can extract?
> 
> I think the PAM environment might persist between stages, but
> get/put_item doesn't work because of OpenSSH's pre/postauth split.

I have not looked at this in a few years.

Sounds similar to an AFS Process Authentication Group (PAG). A PAG is setup so all
processes in a session can share network credentials i.e. AFS tokens based on
kerberos tickets.(DCE did something similar.) The PAG and the AFS tokens are
maintained in the kernel. This allows access to network resources based on being
a member of the PAG, and not on the UID on the local machine. SSH would forward
Kerberos tickets, that would be used to acquire AFS tokens.

https://docs.openafs.org/AdminGuide/HDRWQ63.html#HDRWQ64
https://docs.openafs.org/Reference/1/pagsh.html

http://pubs.opengroup.org/onlinepubs/9668899/chap1.htm

https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

Depending on your security requirements you could set an environment variable
that gets passed to each process.

This may or may not work, take the PID of the current process and use the PPID
to find the SSHD process repeat if needed. Use PID of the SSH process.


> 
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

-- 

  Douglas E. Engert  <DEEngert at gmail.com>



More information about the openssh-unix-dev mailing list