1970033 – shellinabox is compiled without pam support

Bug 1970033 - shellinabox is compiled without pam support

Summary: shellinabox is compiled without pam support

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	shellinabox
Sub Component:
Version:	epel7
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Simone Caronni
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-09 16:40 UTC by Javier Bértoli
Modified:	2021-06-09 16:40 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Javier Bértoli 2021-06-09 16:40:22 UTC

Description of problem:

Shellinabox in cento7 does not read its pam config file /etc/pam.d/shellinabox, because the package is not building in pam support.

Inspecting the SRPM SPEC file, it shows that shellinabox build process inspects the OS to decide if PAM & Openssl should be enabled.

From the tarball's files, you can see that the parameter used to make a decision is:

--disable-runtime-loading ShellInABox will try to load the OpenSSL, and PAM
                            libraries at run-time, if it has been compiled with
                            support for these libraries, and if the operating
                            system supports dynamic loading of libraries. This
                            allows you to install the same binary on different
                            systems independent of whether they have OpenSSL
                            and PAM enabled.  If you would rather directly link
                            these libraries into the binary, thus making them a
                            hard dependency, then disable runtime-loading.])

and then, when building the RPM in a default environment (centos-7 docker container), you can see that checks don't find libraries:

checking security/pam_appl.h usability... no
checking security/pam_appl.h presence... no
checking for security/pam_appl.h... no
checking security/pam_client.h usability... no
checking security/pam_client.h presence... no
checking for security/pam_client.h... no
checking security/pam_misc.h usability... no
checking security/pam_misc.h presence... no
checking for security/pam_misc.h... no

creating a pam-disabled package, which will completely ignore /etc/pam.d/shellinabox file.

Also for this reason, using service as `--service=/:AUTH:HOME:SHELL` fails with the error

  Cannot look up user id "AUTH

Version-Release number of selected component (if applicable):

2.20-5

How reproducible:

always

Steps to Reproduce:
1. Install shell in a box
2. Create a totally bogus /etc/pam.d/shellinabox file
3. Start shellinabox

Actual results:

Connecting to shellinabox will succeed if you use --service=/:SSH, will fail with the error described above if using --service=/:AUTH:HOME:SHELL, and will totally ignore any pam parameter in the config file.

Expected results:

PAM should be used (ie, to authenticate users using LDAP)

Additional info:

Rebuilding the package in a centos-7 docker image:

yum install -y pam-devel openssl-devel
rpmbuild --rebuild shellinabox-2.20-5.el7.src.rpm

and installing it, gives you a pam-enabled package that can work correctly (even using :AUTH:HOME:SHELL) and respects the pam settings in /etc/pam.d/shellinabox file.

Note You need to log in before you can comment on or make changes to this bug.