Provide AcceptEnv variables to a Linux PAM module?
Ryan Cox
ryan_cox at byu.edu
Wed Oct 16 10:02:50 EST 2013
On 10/14/2013 05:04 PM, Damien Miller wrote:
> On Mon, 14 Oct 2013, Ryan Cox wrote:
>
>> I've been looking for a while and can't figure out for sure if variables
>> allowed by AcceptEnv are readable by a PAM module. I looked through the
>> openssh source code and found a few calls to pam_putenv(), which looks like
>> the relevant call, but I don't see anything that would copy over AcceptEnv
>> variables. Am I correct that the variables are not available to PAM?
> No, they are only applied when the user's session is created, after
> authentication.
>
>> I'm
>> guessing there are security implications to passing arbitrary variables
>> through to PAM but is there some other way I can do so?
> No, because the accepted environment variables are sent as part of the
> session establishment that occurs well after authentication completes.
That makes sense. It seems like a major architectural change to do
things differently.
> Maybe it would be possible to run the PAM session modules for each
> multiplexed session (right now we run them right after authentication but
> before session), but I'm not sure it would be safe to allow the user
> environment through to them if they continue to run as root.
I guess if that change is made and there is some concern about
overwriting variables, maybe a variable prefix could be added so there
are no name collisions? E.g. USER_PROVIDED_SLURM_JOB_ID or something
like that for SLURM_JOB_ID. I haven't really thought through it much
but that seems like it could work since the PAM module would have to be
coded to look for some variable anyway.
At the very least, I would like to find some surefire way to run a
script (as root or the user) and /etc/ssh/sshrc seems like the only
option at this point. Is there a way to either 1) ignore any ~/.sshrc
or 2) tell sshd to run both /etc/ssh/sshrc *and* ~/.sshrc if they
exist? I couldn't find any mention of that possibility in the manpages
or code. I suppose I could recompile sshd and have it ignore ~/.sshrc
but some configuration parameter would be nice.
If you ever did want to pursue my original idea of sending AcceptEnv
variables to PAM, I'm sure there would be a lot of grateful HPC users.
That said, I think the mandatory execution of /etc/ssh/sshrc or
something similar would work equally well in SLURM. If this doesn't
seem like a good feature to add, I can cron something to remove any
existing ~/.sshrc files and it will likely be just fine.
Thanks,
Ryan
More information about the openssh-unix-dev
mailing list