bugzilla-daemon at bugzilla.mindrot.org
2018-Sep-25 21:58 UTC
[Bug 2910] New: sshd_config Match section - pam functions cannot use stdout?
https://bugzilla.mindrot.org/show_bug.cgi?id=2910 Bug ID: 2910 Summary: sshd_config Match section - pam functions cannot use stdout? Product: Portable OpenSSH Version: 7.6p1 Hardware: amd64 OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: akshay.moghe at gmail.com What I'm seeing: ---------------- When a user login hits a "Match" section, the pam modules seem to be unable to use stdout. Steps to repro: --------------- I'm running an almost vanilla openssh installation inside a ubuntu:bionic container. In here, I append the following to the bottom of the file: ``` Match Group foobar ForceCommand bash ``` Next, I add 2 users to the system, named `foobar` and `bazbaz` . Next, I add some text to the MOTD file (/etc/motd). Next, I also modify the /etc/pam.d/sshd config to contain these: ``` session optional pam_motd.so noupdate session optional pam_exec.so stdout /bin/echo ECHOECHO ``` So when I log in using `bazbaz` I see that the motd and the stdout message appears (as emitted by the PAM module). Also the PrintLastLog directive kicks in and the last login is also printed. However when I log in using `foobar` (where the Match directive kicks in) then I see neither the motd, nor the stdout message, nor the lastlog. This leads me to believe that stdout handling is somehow different when the Match is hit. I would have suspected the pam modules (or libpam) but since the LastLog is an `sshd` function, I'm inclined to believing this is somehow related to stdout (hence marking the component as 'sshd'). Not sure if this is a bug or a case of missing documentation. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-08 23:25 UTC
[Bug 2910] sshd_config Match section - pam functions cannot use stdout?
https://bugzilla.mindrot.org/show_bug.cgi?id=2910 Akshay <akshay.moghe at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 |P3 --- Comment #1 from Akshay <akshay.moghe at gmail.com> --- Bumping up importance (P = priority?) to see if I can get some visibility. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Dec-07 04:07 UTC
[Bug 2910] sshd_config Match section - pam functions cannot use stdout?
https://bugzilla.mindrot.org/show_bug.cgi?id=2910 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #2 from Damien Miller <djm at mindrot.org> --- stdout isn't attached in any case. The session modules record the output of the PAM conversation functions at the end of the authentication phase and it is replayed later when the user has an actual channel over which to send them. The difference is not stdout, but that the login messages are suppressed when a command is executed so as not to pollute the command's stdout. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Dec-19 23:07 UTC
[Bug 2910] sshd_config Match section - pam functions cannot use stdout?
https://bugzilla.mindrot.org/show_bug.cgi?id=2910 --- Comment #3 from Akshay <akshay.moghe at gmail.com> ---> The difference is not stdout, but that the login messages are suppressed when a command is executed so as not to pollute the command's stdout.Gotcha. In that case, is there a way to un-suppress those messages? I'm looking to use a `Match` clause along with a ForceCommand to force a particular login shell. When used this way, the login messages cease to work. (I guess I'm in the need for a `ForceShell` if one exists). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-22 11:34 UTC
[Bug 2910] sshd_config Match section - pam functions cannot use stdout?
https://bugzilla.mindrot.org/show_bug.cgi?id=2910 --- Comment #4 from Damien Miller <djm at mindrot.org> --- I'm not sure - you *might* be able to use a PAM session session - the messages for these are queued and displayed at login time. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-27 03:53 UTC
[Bug 2910] sshd_config Match section - pam functions cannot use stdout?
https://bugzilla.mindrot.org/show_bug.cgi?id=2910 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WORKSFORME Status|NEW |RESOLVED --- Comment #5 from Damien Miller <djm at mindrot.org> --- workaround provided. Please reopen if it doesn't work -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:53 UTC
[Bug 2910] sshd_config Match section - pam functions cannot use stdout?
https://bugzilla.mindrot.org/show_bug.cgi?id=2910 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #6 from Damien Miller <djm at mindrot.org> --- close bugs that were resolved in OpenSSH 8.5 release cycle -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.