openssh bugs - Sep 2018 - [Bug 2910] New: sshd_config Match section - pam functions cannot use stdout?

https://bugzilla.mindrot.org/show_bug.cgi?id=2910

            Bug ID: 2910
           Summary: sshd_config Match section - pam functions cannot use
                    stdout?
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: akshay.moghe at gmail.com

What I'm seeing:
----------------
When a user login hits a "Match" section, the pam modules seem to be
unable to use stdout.

Steps to repro:
---------------
I'm running an almost vanilla openssh installation inside a
ubuntu:bionic container. In here, I append the following to the bottom
of the file:

```
Match Group foobar
        ForceCommand bash

```
Next, I add 2 users to the system, named `foobar` and `bazbaz` .

Next, I add some text to the MOTD file (/etc/motd).

Next, I also modify the /etc/pam.d/sshd config to contain these:
```
session    optional     pam_motd.so noupdate
session    optional     pam_exec.so stdout /bin/echo ECHOECHO
```

So when I log in using `bazbaz` I see that the motd and the stdout
message appears (as emitted by the PAM module). Also the PrintLastLog
directive kicks in and the last login is also printed.

However when I log in using `foobar` (where the Match directive kicks
in) then I see neither the motd, nor the stdout message, nor the
lastlog. This leads me to believe that stdout handling is somehow
different when the Match is hit. I would have suspected the pam modules
(or libpam) but since the LastLog is an `sshd` function, I'm inclined
to believing this is somehow related to stdout (hence marking the
component as 'sshd').

Not sure if this is a bug or a case of missing documentation.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2910

Akshay <akshay.moghe at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P5                          |P3

--- Comment #1 from Akshay <akshay.moghe at gmail.com> ---
Bumping up importance (P = priority?) to see if I can get some
visibility.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2910

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
stdout isn't attached in any case. The session modules record the
output of the PAM conversation functions at the end of the
authentication phase and it is replayed later when the user has an
actual channel over which to send them.

The difference is not stdout, but that the login messages are
suppressed when a command is executed so as not to pollute the
command's stdout.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2910

--- Comment #3 from Akshay <akshay.moghe at gmail.com>
---
> The difference is not stdout, but that the login messages are suppressed
when a command is executed so as not to pollute the command's stdout.
Gotcha. In that case, is there a way to un-suppress those messages? I'm
looking to use a `Match` clause along with a ForceCommand to force a
particular login shell. When used this way, the login messages cease to
work. (I guess I'm in the need for a `ForceShell` if one exists).

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2910

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
I'm not sure - you *might* be able to use a PAM session session - the
messages for these are queued and displayed at login time.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2910

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
workaround provided. Please reopen if it doesn't work

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2910

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.