Hi, On feb 14 2025, at 1:34 am, Dmitry V. Levin <ldv@xxxxxxxxx> wrote: > On Thu, Feb 13, 2025 at 05:45:47PM +0100, Marco Trevisan wrote: >> From: Marco Trevisan (Treviño) <mail@xxxxxxxxx> >> >> PAM modules can change the user during their execution, in such case ssh >> would still use the user that has been provided giving potentially >> access to another user with the credentials of another one. >> >> So prevent this to happen, by ensuring that the final PAM user is >> matching the one that initiated the transaction. >> >> See also: https://github.com/util-linux/util-linux/pull/3206 > > Note that linux-pam provides a module called pam_canonicalize_user with > the following description: > > This PAM module uses the name of the user obtained via pam_get_user(3) > as a key to query the password database, and replaces PAM_USER with > the pw_name value that has been returned. > > From this perspective, a blanket ban on the user name change would be > too restrictive. The problem is all this responsibility is on the modules themselves, and given that PAM does not ensure in any way that the changed user name is connected to the one that started the request, we may end up providing access to users that are not the ones who started the transaction. As mentioned on the linked PR, depending on the tool, it's sane to perform further checks (in the su/sudo cases in fact one could just ensure that the new user is the one getting access), but given how ssh PAM implementation is, I feel it's too risky to leave the modules this power. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
