Gert, Thank you for the feedback. Can you give any further direction on where to get more information on what you are describing? On Wed, Feb 17, 2016 at 3:17 PM, Gert Doering <gert at greenie.muc.de> wrote:> Hi, > > On Wed, Feb 17, 2016 at 12:59:57PM -0600, Lesley Kimmel wrote: > > I would like to implement an arbitrary script to be executed when logging > > on via SSH. > > I'd just do this in the PAM session handler. > > ForceCommand means "run this command *and then exit*", so this is not > what you want. > > gert > > > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de >
So I probably shouldn't have said "arbitrary" script. What I really want to do is to present a terms of service notice (/etc/issue). But I also want to get the user to actually confirm (by typing 'y') that they accept. If they try to exit or type anything other than 'y' they will be denied access. I'm not sure a user can interact with a script being executed by PAM. Also, I want to differentiate for SCP. It looks like OpenSSH will pass SSH_ORIGINAL_COMMAND variable to the script so I can use that in the script logic and not enforce input for SCP and/or SFTP. So it would seem to be what I want. I found an example on the interwebs with something similar and I built my script similarly but I can't seem to get any output. I guess I was looking for help deciphering that DEBUG output. On Wed, Feb 17, 2016 at 3:50 PM, Lesley Kimmel <lesley.j.kimmel at gmail.com> wrote:> Gert, > > Thank you for the feedback. Can you give any further direction on where to > get more information on what you are describing? > > On Wed, Feb 17, 2016 at 3:17 PM, Gert Doering <gert at greenie.muc.de> wrote: > >> Hi, >> >> On Wed, Feb 17, 2016 at 12:59:57PM -0600, Lesley Kimmel wrote: >> > I would like to implement an arbitrary script to be executed when >> logging >> > on via SSH. >> >> I'd just do this in the PAM session handler. >> >> ForceCommand means "run this command *and then exit*", so this is not >> what you want. >> >> gert >> >> >> -- >> USENET is *not* the non-clickable part of WWW! >> // >> www.muc.de/~gert/ >> Gert Doering - Munich, Germany >> gert at greenie.muc.de >> fax: +49-89-35655025 >> gert at net.informatik.tu-muenchen.de >> > >
> So I probably shouldn't have said "arbitrary" script. What I really want to do > is to present a terms of service notice (/etc/issue). But I also want to get > the user to actually confirm (by typing 'y') that they accept. If they try to > exit or type anything other than 'y' they will be denied access.For interactive sessions, at least, can't you just do this in /etc/profile?
On Thu, Feb 18, 2016 at 9:47 AM, Lesley Kimmel <lesley.j.kimmel at gmail.com> wrote:> [...] I'm not sure a user can interact with a script being executed by PAM.It depends on what the PAM module running the script does, but probably not. The PAM stack runs before the user has a tty, so writing to stdout or stderr is a bad idea (sshd maps these to /dev/null so it won't crash sshd, but it won't do anything useful either). Theoretically the PAM module could read stdio and package up the content into PAM_TEXT_INFO messages sent via the conversation function which sshd could then send to the user, but I suspect it would be hard for the PAM module to know whether or not the script was trying to read from stdin and do something sensible in that case. You might be able to construct what you want from pam_echo to send the message and module that solicits a response and checks it (I don't know of such a module but in theory it wouldn't be hard to write). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Wed, Feb 17, 2016 at 5:47 PM, Lesley Kimmel <lesley.j.kimmel at gmail.com> wrote:> So I probably shouldn't have said "arbitrary" script. What I really want to > do is to present a terms of service notice (/etc/issue). But I also want to > get the user to actually confirm (by typing 'y') that they accept. If they > try to exit or type anything other than 'y' they will be denied access. I'm > not sure a user can interact with a script being executed by PAM. Also, I > want to differentiate for SCP.I think you're really, really trying to hurt yourself and burning cycles better spent elsewhere on a non-enforcable service agreement. Sun tried this with their Java installer, and it was loathed by *everyone* who's had to cope with it. If your scriptable operations for handling of specific keys are really limited, such as only serving rsync, you might take a look at the "validate-rsync.sh" script published in many places. But I suspect you're simply going to make your user community hate you, since this will break rsync over SSH, sftp, WinSCP based access to sftp or scp, etc. etc. etc. Shoving personal text interactions into a well-defined and very standard API is not a nice thing to do to your users. Nico Kadel-Garcia <nkadel at gmail.com>
Lesley Kimmel <lesley.j.kimmel at gmail.com> writes:> So I probably shouldn't have said "arbitrary" script. What I really > want to do is to present a terms of service notice (/etc/issue). But I > also want to get the user to actually confirm (by typing 'y') that > they accept. If they try to exit or type anything other than 'y' they > will be denied access.It is relatively trivial to write a PAM module to do that. DES -- Dag-Erling Sm?rgrav - des at des.no