openssh bugs - Dec 2021 - [Bug 3370] New: pam_ssh_agent_auth - passing wrong username argument when used in /etc/pam.d/su-l

https://bugzilla.mindrot.org/show_bug.cgi?id=3370

            Bug ID: 3370
           Summary: pam_ssh_agent_auth - passing wrong username argument
                    when used in /etc/pam.d/su-l
           Product: Portable OpenSSH
           Version: 8.8p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: neilmw1 at gmail.com

Tested on several versions from 8.8p1 right back to 7.4p1 and on
different distros (RHEL, Ubuntu)

Issue: If you use su - <username> to elevate privileges when using the
auth suffucient pam_ssh_agent_auth .so
authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys parameters
within /etc/pam.d/su-l it passes the logged on username instead of the
user to be elevated to.  The result of this is the wrong public key is
returned by sss_ssh_authorizedkeys.  

Debugging:
It seems to be specific to authorized_keys_command within pam_ssh_agent
as I've tried writing a simple bash script which outputs %u and that is
returning the wrong user.  If you use file=/%h/%u/.ssh/authorized_keys
that does return the correct user which makes e think its specific to
the command.

Scenario:

User alice with standard privileges logs on from Windows using
pageant/PuttyCAC and has a smart card inserted.  To do any superuser
commands, she has to elevate herself with su - adminalice.

- SSH connects fine
- Alice does su - adminalice <enter>
- Authentication starts processing but rejects the authentication by
smartcard (returns wrong smartcard inserted within Windows) and reverts
to password (the next line down in the pam.d file)

- When using "debug" in the pam.d/su-l file you can see the following
output in /var/log/secure or /var/log/auth.log:
pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand:
"/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument:
"alice"

- This *should* read
pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand:
"/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument:
"adminalice"

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3370

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Sorry, but pam_ssh_agent_auth.so is not our software. It's not written
or maintained by the OpenSSH team.

AFAIK this is the team that maintain this software:
https://github.com/jbeverly/pam_ssh_agent_auth

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3370

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing bugs resolved before openssh-8.9

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.