Bug 1970033
| Summary: | shellinabox is compiled without pam support | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Javier Bértoli <javier> |
| Component: | shellinabox | Assignee: | Simone Caronni <negativo17> |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel7 | CC: | negativo17 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: Shellinabox in cento7 does not read its pam config file /etc/pam.d/shellinabox, because the package is not building in pam support. Inspecting the SRPM SPEC file, it shows that shellinabox build process inspects the OS to decide if PAM & Openssl should be enabled. From the tarball's files, you can see that the parameter used to make a decision is: --disable-runtime-loading ShellInABox will try to load the OpenSSL, and PAM libraries at run-time, if it has been compiled with support for these libraries, and if the operating system supports dynamic loading of libraries. This allows you to install the same binary on different systems independent of whether they have OpenSSL and PAM enabled. If you would rather directly link these libraries into the binary, thus making them a hard dependency, then disable runtime-loading.]) and then, when building the RPM in a default environment (centos-7 docker container), you can see that checks don't find libraries: checking security/pam_appl.h usability... no checking security/pam_appl.h presence... no checking for security/pam_appl.h... no checking security/pam_client.h usability... no checking security/pam_client.h presence... no checking for security/pam_client.h... no checking security/pam_misc.h usability... no checking security/pam_misc.h presence... no checking for security/pam_misc.h... no creating a pam-disabled package, which will completely ignore /etc/pam.d/shellinabox file. Also for this reason, using service as `--service=/:AUTH:HOME:SHELL` fails with the error Cannot look up user id "AUTH Version-Release number of selected component (if applicable): 2.20-5 How reproducible: always Steps to Reproduce: 1. Install shell in a box 2. Create a totally bogus /etc/pam.d/shellinabox file 3. Start shellinabox Actual results: Connecting to shellinabox will succeed if you use --service=/:SSH, will fail with the error described above if using --service=/:AUTH:HOME:SHELL, and will totally ignore any pam parameter in the config file. Expected results: PAM should be used (ie, to authenticate users using LDAP) Additional info: Rebuilding the package in a centos-7 docker image: yum install -y pam-devel openssl-devel rpmbuild --rebuild shellinabox-2.20-5.el7.src.rpm and installing it, gives you a pam-enabled package that can work correctly (even using :AUTH:HOME:SHELL) and respects the pam settings in /etc/pam.d/shellinabox file.