Bug 1115977 - Add pam_reauthorize.so to /etc/pam.d/sshd
Summary: Add pam_reauthorize.so to /etc/pam.d/sshd
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: cockpit-F21-tracker
TreeView+ depends on / blocked
 
Reported: 2014-07-03 12:47 UTC by Stef Walter
Modified: 2014-07-17 11:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1204233 (view as bug list)
Environment:
Last Closed: 2014-07-17 11:47:49 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Add pam_reauthorize.so to sshd.pam (1.76 KB, patch)
2014-07-03 12:55 UTC, Stef Walter 		no flags Details | Diff
View All

Description Stef Walter 2014-07-03 12:47:19 UTC 
As discussed elsewhere, for Fedora Server we want to have pam_reauthorize.so late in the auth and session PAM stacks for sshd.

https://github.com/stefwalter/cockpit/blob/reauthorize/doc/reauthorize.md

Will post patch.
Comment 1 Stef Walter 2014-07-03 12:48:38 UTC 
There's many ways to do this, but for now the simple approach seems to be best, just adding the relevant lines to /etc/pam.d/sshd:

# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare

# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
Comment 2 Stef Walter 2014-07-03 12:55:09 UTC 
Created attachment 914455 [details]
Add pam_reauthorize.so to sshd.pam

I've done some tests on this. In addition you can add a 'debug' flag to the PAM stack lines, and see further output in the logs.
Comment 3 Petr Lautrbach 2014-07-17 11:47:49 UTC 
http://koji.fedoraproject.org/koji/buildinfo?buildID=543745
http://koji.fedoraproject.org/koji/buildinfo?buildID=543746
Note You need to log in before you can comment on or make changes to this bug.