Bug 1700680
| Summary: | Update man page for pam_tty_audit | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Mohammed Shakir Ali <sali> | |
| Component: | pam | Assignee: | Tomas Mraz <tmraz> | |
| Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.6 | CC: | dapospis, mitr | |
| Target Milestone: | rc | Keywords: | ManPageChange, Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | pam-1.1.8-23.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1738265 (view as bug list) | Environment: | ||
| Last Closed: | 2020-03-31 19:10:34 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
This has nothing to do with bastion hosts specifically; _all_ of input to a ssh session, (or any interactive program like vim, FWIW), is logged. Another way to view this is that only _local_ echo state matters, not state on some other machine. (I don’t know how to word this clearly, just pointing out that the clarification should not overly focus on bastion hosts.) What about this text?
Please note that passwords in some circumstances may be logged by TTY auditing
even if the <option>log_passwd</option> is not used. For example all input to
a ssh session will be logged - even if there is a password being typed into
some software running at the remote host because only the local TTY state
affects the local TTY auditing.
Mirek, is the text above OK? Works for me. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1005 |
Description of problem: One of our Customer recommends that the man page for pam_tty_audit be amended to warn readers of the section saying that "passwords are not logged", to something indicating that passwords will be logged regardless when passing through a jump host (bastion). Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: As per man pages, we notice following: log_passwd Log keystrokes when ECHO mode is off but ICANON mode is active. This is the mode in which the tty is placed during password entry. By default, passwords are not logged. Expected results: Update man pages to reflect that password will be captured in an environment while trying to ssh through a "Jump Host". Additional info: We raised a Bugzilla#1684319 on this issue, and noticed that passwords are logged in when there is a jump host involved.