[Bug 2408] Expose authentication information to PAM

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue May 16 12:15:32 AEST 2017 

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
Created attachment 2978
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2978&action=edit
Refactor authctxt information, provide SSH_USER_AUTH

There's a few overlapping pieces of information already managed via
authctxt - strings for auth_log() and the list of already-attempted
keys, etc. and I wanted to make the code less confusion and brittle.

So this refactors what's there and uses that refactoring to implement
SSH_USER_AUTH in the user and PAM environments. I haven't included a
sshd_config knob to control it. I don't think that it's necessary to
restrict its visibility to PAM at all, but I might add something to
control it ending up in the user environment. Note that I've added
filtering of the PAM environment copied back into the user's
environment to ensure that SSH_USER_AUTH doesn't "leak" if/when I do
add such a knob.

The contents of SSH_USER_AUTH are a bit different to Vincent's patch.
The environment variable gets filled with a \n separated list of:

method[/submethod] [extra info]

For each authentication method that succeeded partially or completely.
Note that this might include authentication methods that didn't
actually contribute to the final success (e.g. if you had
"AuthenticationMethods publickey,password hostbased,password" and then
authenticated using publickey, hostbased, then password), but I don't
think this is a big problem.

For GSSAPI, the "extra info" is the displayname - identical to
Vincent's patch.

For public key and hostbased authentication it's the full key(s) used.
I figure that this is more general than fingerprints, since you can get
all of those via ssh-keygen anyway if you need them. In particular, it
permits the use of custom certificate extensions that can be read out
using "ssh-keygen -L" that would otherwise have been invisible.

Password and kbd-int have no extra information at present (though
kbd-int may set a /submethod).

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list