Bug 1492313
Summary: | sshd doesnt use pam auth stack anymore | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | dac.override |
Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | dwalsh, jjelen, lkundrak, lvrabec, mattias.ellert, mgrepl, plautrba, stefw, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openssh-7.6p1-2.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-12-10 05:03:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
dac.override
2017-09-16 11:04:09 UTC
The auth section of PAM stack is executed only for the password (or keyboard-interactive too?) authentication. For others, the auth section is skipped. Even though it might be confusing at first, this is how it always was and the only way how it makes sense, since for example in public key authentication, you do not have any authentication tokens that could PAM accept in pam_authenticate(). Therefore SSH calls just account and session sections. Does it work if you move the pam_sepermit.so to the account section, where it is probably more appropriate? Let me know if this resolved your issue, or if there is something else that might not be clear. Thanks. Yes that works: account required pam_sepermit.so debug So i would argue that this is a bug in /etc/pam.d/sshd BTW, whats up with those "pam_reauthorize.so" entries. That module does not exist and some times sshd complains about it: Sep 16 12:50:13 julius sshd[1027]: PAM unable to dlopen(/usr/lib64/security/pam_reauthorize.so): /usr/lib64/security/pam_reauthorize.so: cannot open shared object file: No such file or directory It looks like that. Tomas added this line to /etc/pam.d/sshd based on the bug #471746. But to me it is not clear whether it was intended to block only password logins by pam_sepermit, or it should have come to the account section to block all logins? About pam_reauthorize, it was added based on the bug #1115977 by Stef. It was used in the Fedora Server, in polkit and cockpit to my understanding. But I can not find any more documentation about that now. Nor I can find this .so in the Fedora repositories. Adding Stef if he can confirm if it is still needed. As you are probably aware by now: I would argue that pam_sepermit should apply to all logins. The idea is to disallow access to SELinux-restricted login shells when SELinux is not enforcing, regardless of whether the users uses a password or PKI for authentication. Originally the pam_sepermit was targeted at the xguest user however I agree that the module makes sense to be called from the account section for sshd. Also by default the sepermit.conf config file is empty so it will not change anything by default, it starts to come into play only when sysadmin populates the sepermit.conf with some users. ok, I will move the sepermit to the start of the account section. About the pam_reauthorize, it looks like it is gone from cockpit these days (since cockpit-135, which should be in all the Fedoras these dayse) [1] so we should be able to remove it from OpenSSH too. I will do that with the next update for Fedora 27 or so. Thank you for pointing that out. [1] https://github.com/cockpit-project/cockpit/commit/f7527bf4 openssh-7.6p1-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-96d1995b70 openssh-7.6p1-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-96d1995b70 openssh-7.6p1-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |