bugzilla-daemon at mindrot.org
2015-Apr-13 13:14 UTC
[Bug 2378] New: Allow login to a role using Hostbased auth on platforms supporting PAM_AUSER
https://bugzilla.mindrot.org/show_bug.cgi?id=2378
Bug ID: 2378
Summary: Allow login to a role using Hostbased auth on
platforms supporting PAM_AUSER
Product: Portable OpenSSH
Version: 6.8p1
Hardware: Sparc
OS: Solaris
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: tomas.kuthan at oracle.com
When remote roles are allowed by PAM configuration, OpenSSH should
allow
login to a role for hostbased authentication.
E.g.
- if local user testuser has been assigned role testrole
- and hostbased authentication has been configured for remote host
- and local PAM account stack lists pam_roles module with option
allow_remote
- then remote user testuser should be allowed to directly login to
testrole
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Apr-13 13:15 UTC
[Bug 2378] Allow login to a role using Hostbased auth on platforms supporting PAM_AUSER
https://bugzilla.mindrot.org/show_bug.cgi?id=2378
Tomas Kuthan <tomas.kuthan at oracle.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tomas.kuthan at oracle.com
--- Comment #1 from Tomas Kuthan <tomas.kuthan at oracle.com> ---
Created attachment 2582
--> https://bugzilla.mindrot.org/attachment.cgi?id=2582&action=edit
patch implementing login to a role
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Apr-13 13:20 UTC
[Bug 2378] Allow login to a role using Hostbased auth on platforms supporting PAM_AUSER
https://bugzilla.mindrot.org/show_bug.cgi?id=2378 --- Comment #2 from Tomas Kuthan <tomas.kuthan at oracle.com> --- Steps to reproduce/test ---- On the server: echo 'HostBasedAuthentication yes' >>/etc/ssh/sshd_config echo 'IgnoreRhosts no' >>/etc/ssh/sshd_config svcadm restart ssh roleadd -m testrole useradd -m -R testrole testuser cat >/etc/pam.d/sshd-hostbased <<EOF auth definitive pam_user_policy.so.1 auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_auth.so.1 auth required pam_unix_cred.so.1 account requisite pam_roles.so.1 allow_remote debug account definitive pam_user_policy.so.1 account required pam_unix_account.so.1 account required pam_tsol_account.so.1 session definitive pam_user_policy.so.1 session required pam_unix_session.so.1 @ password definitive pam_user_policy.so.1 @ password include pam_authtok_common @ password required pam_authtok_store.so.1 EOF su - testrole echo '192.168.0.1 testuser' >.shosts ssh testuser at 192.168.0.1 # to populate known_hosts ^D On the client: echo 'EnableSSHKeysign yes' >>/etc/ssh/ssh_config useradd -m testuser su - testuser ssh testrole at serverb.tkuthan.oracle.com -- You are receiving this mail because: You are watching the assignee of the bug.
Apparently Analagous Threads
- Does OpenSSH support setting PAM_AUSER
- [Bug 2636] New: Fix X11 forwarding, when ::1 is not configured
- [Bug 2376] New: Add compile time option to disable Curve25519
- [Bug 2299] New: Disable uid=0 resetting test on Solaris
- [Bug 2719] New: Notify user, when ssh transport process dies.