On Пан, 16 сне 2024, Michal Sekletar wrote: > Hello everyone, > > I am trying to adjust the systemd-logind classification of the SSH > session opened by Ansible client. By default the SSH session created > by Ansible client is Class=user and Type=tty in systemd-logind. > pam_systemd.so allows users to change this default via the environment > variables XDG_SESSION_CLASS and XDG_SESSION_TYPE. When I set these > variables on the client and make sure they are accepted by the server > I observe in the log that variables are set but that happens *after* > PAM session is created in the child process. Hence I have two obvious > questions... > > Is my analysis correct and thus it is not possible to influence PAM > session set up via environment variables set by the client? If so, > would you be open to accepting the patch to change that, i.e. all > environment variables set by the client would be exposed in the child > process that opens the PAM session? pam_systemd enforces class 'user' for anything coming from SSH in pam_sm_open_session. Here is a relevant fragment: ------------------------------------------------------- } else if (streq_ptr(tty, "cron")) { /* cron is setting PAM_TTY to "cron" for some reason (the commit carries no information why, but * probably because it wants to set it to something as pam_time/pam_access/… require PAM_TTY to be set * (as they otherwise even try to update it!) — but cron doesn't actually allocate a TTY for its forked * off processes.) */ type = "unspecified"; class = "background"; tty = NULL; } else if (streq_ptr(tty, "ssh")) { /* ssh has been setting PAM_TTY to "ssh" (for the same reason as cron does this, see above. For further * details look for "PAM_TTY_KLUDGE" in the openssh sources). */ type = "tty"; class = "user"; tty = NULL; /* This one is particularly sad, as this means that ssh sessions — even though usually * associated with a pty — won't be tracked by their tty in logind. This is because ssh * does the PAM session registration early for new connections, and registers a pty only * much later (this is because it doesn't know yet if it needs one at all, as whether to * register a pty or not is negotiated much later in the protocol). */ ------------------------------------------------------- This is in reaction to OpenSSH enforcing PAM_TTY_KLUDGE set to 1 unconditionally when being build on Linux. This override in pam_systemd happens after it derived a type, class, and the rest of possible settings from the configuration and PAM environment, so it will not really help to just pass-through the environment variables. > > Cheers, > Michal > > PS: I want to be able to distinguish between "normal" ssh sessions and > Ansible sessions as I think that Ansible sessions have slightly > different semantics, e.g. no idle timeouts should apply to them even > if they allocate PTY, similar to cron sessions. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- / Alexander Bokovoy _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev