PAM session setup and environment variables

Alexander Bokovoy ab at samba.org
Tue Dec 17 01:19:20 AEDT 2024 

On Пан, 16 сне 2024, Michal Sekletar wrote:
> Hello everyone,
> 
> I am trying to adjust the systemd-logind classification of the SSH
> session opened by Ansible client. By default the SSH session created
> by Ansible client is Class=user and Type=tty in systemd-logind.
> pam_systemd.so allows users to change this default via the environment
> variables XDG_SESSION_CLASS and XDG_SESSION_TYPE. When I set these
> variables on the client and make sure they are accepted by the server
> I observe in the log that variables are set but that happens *after*
> PAM session is created in the child process. Hence I have two obvious
> questions...
> 
> Is my analysis correct and thus it is not possible to influence PAM
> session set up via environment variables set by the client? If so,
> would you be open to accepting the patch to change that, i.e. all
> environment variables set by the client would be exposed in the child
> process that opens the PAM session?

pam_systemd enforces class 'user' for anything coming from SSH in
pam_sm_open_session. Here is a relevant fragment:

-------------------------------------------------------
       } else if (streq_ptr(tty, "cron")) {
                /* cron is setting PAM_TTY to "cron" for some reason (the commit carries no information why, but
                 * probably because it wants to set it to something as pam_time/pam_access/… require PAM_TTY to be set
                 * (as they otherwise even try to update it!) — but cron doesn't actually allocate a TTY for its forked
                 * off processes.) */
                type = "unspecified";
                class = "background";
                tty = NULL;

        } else if (streq_ptr(tty, "ssh")) {
                /* ssh has been setting PAM_TTY to "ssh" (for the same reason as cron does this, see above. For further
                 * details look for "PAM_TTY_KLUDGE" in the openssh sources). */
                type = "tty";
                class = "user";
                tty = NULL; /* This one is particularly sad, as this means that ssh sessions — even though usually
                             * associated with a pty — won't be tracked by their tty in logind. This is because ssh
                             * does the PAM session registration early for new connections, and registers a pty only
                             * much later (this is because it doesn't know yet if it needs one at all, as whether to
                             * register a pty or not is negotiated much later in the protocol). */
-------------------------------------------------------

This is in reaction to OpenSSH enforcing PAM_TTY_KLUDGE set to 1
unconditionally when being build on Linux.

This override in pam_systemd happens after it derived a type, class, and
the rest of possible settings from the configuration and PAM
environment, so it will not really help to just pass-through the
environment variables.

> 
> Cheers,
> Michal
> 
> PS: I want to be able to distinguish between "normal" ssh sessions and
> Ansible sessions as I think that Ansible sessions have slightly
> different semantics, e.g. no idle timeouts should apply to them even
> if they allocate PTY, similar to cron sessions.
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
/ Alexander Bokovoy

More information about the openssh-unix-dev mailing list