Description of problem: It seems that openssh server skips the auth stack in /etc/pamd/sshd for example it skips "auth required pam_sepermit.so" Version-Release number of selected component (if applicable): openssh-server-7.5p1-5.fc27.x86_64 How reproducible: in /etc/pam.d/sshd append "debug" to "auth required pam_sepermit.so" so that it will log messages if it is run. log into the system with ssh and look in the logs. there should be sepermit.so related debug messages also look at that auditd USER_AUTH and note that there is no pam_grantors message NB. pam_sepermit works fine for other services Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The auth section of PAM stack is executed only for the password (or keyboard-interactive too?) authentication. For others, the auth section is skipped. Even though it might be confusing at first, this is how it always was and the only way how it makes sense, since for example in public key authentication, you do not have any authentication tokens that could PAM accept in pam_authenticate(). Therefore SSH calls just account and session sections. Does it work if you move the pam_sepermit.so to the account section, where it is probably more appropriate? Let me know if this resolved your issue, or if there is something else that might not be clear.
Thanks. Yes that works: account required pam_sepermit.so debug So i would argue that this is a bug in /etc/pam.d/sshd BTW, whats up with those "pam_reauthorize.so" entries. That module does not exist and some times sshd complains about it: Sep 16 12:50:13 julius sshd[1027]: PAM unable to dlopen(/usr/lib64/security/pam_reauthorize.so): /usr/lib64/security/pam_reauthorize.so: cannot open shared object file: No such file or directory
It looks like that. Tomas added this line to /etc/pam.d/sshd based on the bug #471746. But to me it is not clear whether it was intended to block only password logins by pam_sepermit, or it should have come to the account section to block all logins? About pam_reauthorize, it was added based on the bug #1115977 by Stef. It was used in the Fedora Server, in polkit and cockpit to my understanding. But I can not find any more documentation about that now. Nor I can find this .so in the Fedora repositories. Adding Stef if he can confirm if it is still needed.
As you are probably aware by now: I would argue that pam_sepermit should apply to all logins. The idea is to disallow access to SELinux-restricted login shells when SELinux is not enforcing, regardless of whether the users uses a password or PKI for authentication.
Originally the pam_sepermit was targeted at the xguest user however I agree that the module makes sense to be called from the account section for sshd. Also by default the sepermit.conf config file is empty so it will not change anything by default, it starts to come into play only when sysadmin populates the sepermit.conf with some users.
ok, I will move the sepermit to the start of the account section. About the pam_reauthorize, it looks like it is gone from cockpit these days (since cockpit-135, which should be in all the Fedoras these dayse) [1] so we should be able to remove it from OpenSSH too. I will do that with the next update for Fedora 27 or so. Thank you for pointing that out. [1] https://github.com/cockpit-project/cockpit/commit/f7527bf4
openssh-7.6p1-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-96d1995b70
openssh-7.6p1-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-96d1995b70
openssh-7.6p1-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.