[PATCH] auth-pam: Check the user didn't change during PAM transaction
Dmitry V. Levin
ldv at strace.io
Fri Feb 14 11:34:21 AEDT 2025
On Thu, Feb 13, 2025 at 05:45:47PM +0100, Marco Trevisan wrote:
> From: Marco Trevisan (Treviño) <mail at 3v1n0.net>
>
> PAM modules can change the user during their execution, in such case ssh
> would still use the user that has been provided giving potentially
> access to another user with the credentials of another one.
>
> So prevent this to happen, by ensuring that the final PAM user is
> matching the one that initiated the transaction.
>
> See also: https://github.com/util-linux/util-linux/pull/3206
Note that linux-pam provides a module called pam_canonicalize_user with
the following description:
This PAM module uses the name of the user obtained via pam_get_user(3)
as a key to query the password database, and replaces PAM_USER with
the pw_name value that has been returned.
>From this perspective, a blanket ban on the user name change would be
too restrictive.
--
ldv
More information about the openssh-unix-dev
mailing list