I've been looking for a while and can't figure out for sure if variables allowed by AcceptEnv are readable by a PAM module. I looked through the openssh source code and found a few calls to pam_putenv(), which looks like the relevant call, but I don't see anything that would copy over AcceptEnv variables. Am I correct that the variables are not available to PAM? I'm guessing there are security implications to passing arbitrary variables through to PAM but is there some other way I can do so? The reason I ask is because I'm working with the SLURM resource manager to monitor remote processes launched via ssh. It's not perfect, but I'm using SendEnv and AcceptEnv to pass $SLURM_JOB_ID around. I want to run a pam module or script that assigns sshd and its children to a particular cgroup (based on $SLURM_JOB_ID) using a slurm API call. The best solution I have found seems to be calling a script from /etc/ssh/sshrc as the user (which can be negated by users creating ~/.sshrc). Is that the best option at the moment? Ideally we would do this in PAM as root but it doesn't seem possible for now. Ryan Cox
On Mon, 14 Oct 2013, Ryan Cox wrote:> I've been looking for a while and can't figure out for sure if variables > allowed by AcceptEnv are readable by a PAM module. I looked through the > openssh source code and found a few calls to pam_putenv(), which looks like > the relevant call, but I don't see anything that would copy over AcceptEnv > variables. Am I correct that the variables are not available to PAM?No, they are only applied when the user's session is created, after authentication.> I'm > guessing there are security implications to passing arbitrary variables > through to PAM but is there some other way I can do so?No, because the accepted environment variables are sent as part of the session establishment that occurs well after authentication completes. Maybe it would be possible to run the PAM session modules for each multiplexed session (right now we run them right after authentication but before session), but I'm not sure it would be safe to allow the user environment through to them if they continue to run as root. -d
Maybe Matching Threads
- Sending PATH using SendEnv
- [Bug 1346] New: PAM environment takes precedence over SendEnv
- Still no joy: no X11 protocols
- any concerns about including TZ in AcceptEnv
- [Bug 2386] New: TERM env variable is always accepted by sshd, regardless the empty AcceptEnv setting