Hi all, Following a discussion of last June and the resulting bug (2408), in order to improve 2 factor authentication, I've worked on a set of patches to expose at least basic authentication information and more when possible. By exposing such information to PAM, it would be possible to differentiate the cases when PAM is called first and when it is called after a valid authentication (e.g. when using AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam publickey,keyboard-interactive:pam keyboard-interactive:pam) The design of these patches is rather simple: - Authentication method can "publish" detailed information about the client, if the authentication was successful - In the main auth 2 loop, after a successful authentication, the authentication method is recorded, including details if provided - When calling PAM or a shell, export this information via an environment variable I've tried to keep the patches as small and atomic as possible. The larger change is probably the introduction of 'pubkey_format' in order to only have one function to print a public key. This set of patch could be extended to cover more ground, but I not sure how and thus I'm open to suggestions and ideas on how: - to expose the same kind of detailed information from the priviledged thread in case of priviledge separation - to produce the same kind of information from other authentication methods (I'm particularly interested in getting the kerbors principal from gss-serv-krb5 for example) Resolving such questions would probably make this feature complete, but I fear that they need complex modifications of the existing code. Do you think that this design and this first step could be considered and merged first, without closing the door for further improvement? Thanks in advance, Vincent PS: I've posted these patches as a single patch on the bugzilla, but as I didn't get any feedback, I'm trying my luck here directly -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Store-details-about-successful-auth-methods.patch Type: text/x-diff Size: 1954 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0008.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Export-auth_details-to-child-env-as-SSH_USER_AUTH.patch Type: text/x-diff Size: 717 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0009.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Expose-auth_details-to-pam-via-SSH_USER_AUTH.patch Type: text/x-diff Size: 1196 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0010.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Extract-pubkey_format-from-pubkey_auth_info.patch Type: text/x-diff Size: 2889 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0011.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-auth2-pubkey-fill-last_details-on-success.patch Type: text/x-diff Size: 1334 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0012.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-auth2-hostbased-fill-last_details-on-success.patch Type: text/x-diff Size: 1414 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0013.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0007-privsep-Expose-success-auth-methods.patch Type: text/x-diff Size: 1537 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0014.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0008-Mention-SSH_USER_AUTH-in-the-man-page.patch Type: text/x-diff Size: 927 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0015.bin>
Vincent Brillault
2016-Jan-14 10:49 UTC
[PATCH RFC] Expose authentication information in the environment (PAM & shell)
Dear all, I believe that my last email to the list, in November, got unfortunately lost for most people due to the 'DMARC' configuration on the domain I was using. I'm now using another email address, that will hopefully work this time... Here is the content of my previous email: On Thu 26.Nov'15 at 21:32:05 +0100, Vincent Brillault wrote:> Following a discussion of last June and the resulting bug (2408), in > order to improve 2 factor authentication, I've worked on a set of > patches to expose at least basic authentication information and more > when possible. By exposing such information to PAM, it would be possible > to differentiate the cases when PAM is called first and when it is > called after a valid authentication (e.g. when using > AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam > publickey,keyboard-interactive:pam keyboard-interactive:pam) > > The design of these patches is rather simple: > - Authentication method can "publish" detailed information about the > client, if the authentication was successful > - In the main auth 2 loop, after a successful authentication, the > authentication method is recorded, including details if provided > - When calling PAM or a shell, export this information via an > environment variable > > I've tried to keep the patches as small and atomic as possible. > The larger change is probably the introduction of 'pubkey_format' in > order to only have one function to print a public key. > > This set of patch could be extended to cover more ground, but I not sure > how and thus I'm open to suggestions and ideas on how: > - to expose the same kind of detailed information from the priviledged > thread in case of priviledge separation > - to produce the same kind of information from other authentication > methods (I'm particularly interested in getting the kerbors principal > from gss-serv-krb5 for example) > > Resolving such questions would probably make this feature complete, but > I fear that they need complex modifications of the existing code. Do you > think that this design and this first step could be considered and > merged first, without closing the door for further improvement?What is the standard procedure or what would be the preferred way of sharing these patches? Send the aggerated patch in one email? Send all the atomic patch in a single email? Use git send email to send atomic patches as 9 emails plus header? In the mean time, the patches are available: - Via the bugzilla: https://bugzilla.mindrot.org/show_bug.cgi?id=2408 - On GitHub: https://github.com/CERN-CERT/openssh-portable (last 9) I've also published a small explanation on why we are doing it: https://cern-cert.github.io/pam_2fa/ Thanks in advance for your comments, Vincent -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160114/2f133e42/attachment.bin>