This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 519232 - strange behaviour pam_namespace with ssh
strange behaviour pam_namespace with ssh
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-25 14:31 EDT by Dominick Grift
Modified: 2009-08-25 15:17 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-25 15:17:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dominick Grift 2009-08-25 14:31:30 EDT
Description of problem:

I use pam namespace and ssh. If i am logged into a gnome session and also try to login from remote using ssh then ssh cannot find ~/.ssh/authorized_keys. ssh prompts for a password.

If i am not logged into a gnome session and i try to log in from a remote session using ssh then ssh *can* find ~/.ssh/authorized_keys. ssh does *not* prompt for a password. But ssh creates a new <username>.inst into my existing one.

Version-Release number of selected component (if applicable):
all

How reproducible:
enable pam_namespace. 

1.log in locally in gnome. add a public key from a remote system to your ~/.ssh/authorized_keys, and log in from that remote system via ssh (note that ssh prompts for a password and once the password is entered you will be in the right ~)

2. logout of you local gnome session and from the remote system login using ssh (note that ssh logs you in without prompting for a password and that you will be in an empty ~) (not the ~ where your atall .ssh/authorized_keys file is)

somewhere like this /home/dgrift/dgrift.inst/dgrift_u:dgrift_r:dgrift_t:s0-s0:c0.c1023_dgrift/dgrift.inst/dgrift_u:dgrift_r_dgrift_t:s0-s0:c0.1023/
Steps to Reproduce:

Additional info:

so in short poly instantiation works fine if you only use it for gui or only for ssh. once you start using it for both, ssh shows strange behaviour
Comment 1 Dominick Grift 2009-08-25 14:34:04 EDT
erm, wrong description of how to reproduce.

This actually happens when you restart sshd.

so do 1. then do service sshd restart and try to login using ssh again.
Comment 2 Tomas Mraz 2009-08-25 14:42:40 EDT
There is not quite enough info about how you configured pam_namespace. It is not a trivial task. You will also probably need some mount --make-rshared or similar calls if you want to share some mountpoints within namespaces.
Comment 3 Dominick Grift 2009-08-25 14:59:02 EDT
This is whats in my /etc/security/namesspace.conf

/tmp     /tmp-inst/             level      root,adm
/var/tmp /var/tmp-inst/         level      root,adm
$HOME    $HOME/$USER.inst/     level    root,adm

i set "allow pam_namespace" selinux boolean to true.

This is my /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      system-auth
auth       required     pam_tally2.so deny=5 onerr=fail
account    required     pam_nologin.so
account    include      system-auth
account    required     pam_tally2.so
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include      system-auth

I did not change anything else

Please note that everything seems to work fine except:

if i login using ssh it asks for my password instead of using pki (~/ssh/authorized_keys) This is when i am also logged in locally in gnome on that system)

If i restart sshd, then it will log me in without prompting for my password. but ssh will create a new dir in my (already instantiated home dir)
Comment 4 Tomas Mraz 2009-08-25 15:17:27 EDT
(In reply to comment #3)
> 
> Please note that everything seems to work fine except:
> 
> if i login using ssh it asks for my password instead of using pki
> (~/ssh/authorized_keys) This is when i am also logged in locally in gnome on
> that system)

Yes, that's to be expected if you polyinstantiate the home directory because sshd does not know anything about polyinstatiation and it does not see the authorized_keys file inside the instance directory. So either do not polyinstantiate the home directory or copy the authorized_keys file to the original non-polyinstantiated home.

> If i restart sshd, then it will log me in without prompting for my password.
> but ssh will create a new dir in my (already instantiated home dir)  

I suppose you restart the sshd inside the polyinstantiated session - then again this is to be expected because you're creating instance inside another instance.
Simply do not do that.

Note You need to log in before you can comment on or make changes to this bug.