bugzilla-daemon at mindrot.org
2021-Dec-09 15:33 UTC
[Bug 3370] New: pam_ssh_agent_auth - passing wrong username argument when used in /etc/pam.d/su-l
https://bugzilla.mindrot.org/show_bug.cgi?id=3370 Bug ID: 3370 Summary: pam_ssh_agent_auth - passing wrong username argument when used in /etc/pam.d/su-l Product: Portable OpenSSH Version: 8.8p1 Hardware: amd64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org Reporter: neilmw1 at gmail.com Tested on several versions from 8.8p1 right back to 7.4p1 and on different distros (RHEL, Ubuntu) Issue: If you use su - <username> to elevate privileges when using the auth suffucient pam_ssh_agent_auth .so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys parameters within /etc/pam.d/su-l it passes the logged on username instead of the user to be elevated to. The result of this is the wrong public key is returned by sss_ssh_authorizedkeys. Debugging: It seems to be specific to authorized_keys_command within pam_ssh_agent as I've tried writing a simple bash script which outputs %u and that is returning the wrong user. If you use file=/%h/%u/.ssh/authorized_keys that does return the correct user which makes e think its specific to the command. Scenario: User alice with standard privileges logs on from Windows using pageant/PuttyCAC and has a smart card inserted. To do any superuser commands, she has to elevate herself with su - adminalice. - SSH connects fine - Alice does su - adminalice <enter> - Authentication starts processing but rejects the authentication by smartcard (returns wrong smartcard inserted within Windows) and reverts to password (the next line down in the pam.d file) - When using "debug" in the pam.d/su-l file you can see the following output in /var/log/secure or /var/log/auth.log: pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand: "/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument: "alice" - This *should* read pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand: "/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument: "adminalice" -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Dec-10 01:46 UTC
[Bug 3370] pam_ssh_agent_auth - passing wrong username argument when used in /etc/pam.d/su-l
https://bugzilla.mindrot.org/show_bug.cgi?id=3370 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- Sorry, but pam_ssh_agent_auth.so is not our software. It's not written or maintained by the OpenSSH team. AFAIK this is the team that maintain this software: https://github.com/jbeverly/pam_ssh_agent_auth -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Feb-25 02:56 UTC
[Bug 3370] pam_ssh_agent_auth - passing wrong username argument when used in /etc/pam.d/su-l
https://bugzilla.mindrot.org/show_bug.cgi?id=3370 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- closing bugs resolved before openssh-8.9 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.