Re: Working with PAM stages

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 8/1/2019 8:22 PM, Damien Miller wrote:

On Thu, 1 Aug 2019, Carl Jenkins wrote:


Hi,

I’m trying to develop a PAM module with OpenSSH, and I realized I need to
retrieve something in a later stage that was saved in another previous
stage. As far as my tests on OpenSSH 7.6 go, the password auth route goes
through PAM auth, account, session, and the session stage is in a different
UNIX process from the process where auth and account take place. For the
key auth route, auth stage is bypassed in favor of the AuthorizedKeys or
AuthorizedKeysCommand (in its own process) mechanisms, while PAM account
and session stages are in the same process. Is this correct?

I’m aware of https://bugzilla.mindrot.org/show_bug.cgi?id=2548, which
correspond to the password route. Key route doesn’t seem to agree with it.
Regardless, I haven’t seen fixes around it.

And in either auth route, what do the two processes share uniquely for the
same login attempt, like a session ID that I can extract?


I think the PAM environment might persist between stages, but
get/put_item doesn't work because of OpenSSH's pre/postauth split.


I have not looked at this in a few years.

Sounds similar to an AFS Process Authentication Group (PAG). A PAG is setup so all
processes in a session can share network credentials i.e. AFS tokens based on
kerberos tickets.(DCE did something similar.) The PAG and the AFS tokens are
maintained in the kernel. This allows access to network resources based on being
a member of the PAG, and not on the UID on the local machine. SSH would forward
Kerberos tickets, that would be used to acquire AFS tokens.

https://docs.openafs.org/AdminGuide/HDRWQ63.html#HDRWQ64
https://docs.openafs.org/Reference/1/pagsh.html

http://pubs.opengroup.org/onlinepubs/9668899/chap1.htm

https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

Depending on your security requirements you could set an environment variable
that gets passed to each process.

This may or may not work, take the PID of the current process and use the PPID
to find the SSHD process repeat if needed. Use PID of the SSH process.




-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



--

 Douglas E. Engert  <DEEngert@xxxxxxxxx>

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux