openssh unix dev - Aug 2019 - Working with PAM stages

Hi,

I?m trying to develop a PAM module with OpenSSH, and I realized I need to
retrieve something in a later stage that was saved in another previous
stage. As far as my tests on OpenSSH 7.6 go, the password auth route goes
through PAM auth, account, session, and the session stage is in a different
UNIX process from the process where auth and account take place. For the
key auth route, auth stage is bypassed in favor of the AuthorizedKeys or
AuthorizedKeysCommand (in its own process) mechanisms, while PAM account
and session stages are in the same process. Is this correct?

I?m aware of https://bugzilla.mindrot.org/show_bug.cgi?id=2548, which
correspond to the password route. Key route doesn?t seem to agree with it.
Regardless, I haven?t seen fixes around it.

And in either auth route, what do the two processes share uniquely for the
same login attempt, like a session ID that I can extract?

Best,
Carl

On Thu, 1 Aug 2019, Carl Jenkins wrote:
> Hi,
> 
> I?m trying to develop a PAM module with OpenSSH, and I realized I need to
> retrieve something in a later stage that was saved in another previous
> stage. As far as my tests on OpenSSH 7.6 go, the password auth route goes
> through PAM auth, account, session, and the session stage is in a different
> UNIX process from the process where auth and account take place. For the
> key auth route, auth stage is bypassed in favor of the AuthorizedKeys or
> AuthorizedKeysCommand (in its own process) mechanisms, while PAM account
> and session stages are in the same process. Is this correct?
> 
> I?m aware of https://bugzilla.mindrot.org/show_bug.cgi?id=2548, which
> correspond to the password route. Key route doesn?t seem to agree with it.
> Regardless, I haven?t seen fixes around it.
> 
> And in either auth route, what do the two processes share uniquely for the
> same login attempt, like a session ID that I can extract?
I think the PAM environment might persist between stages, but
get/put_item doesn't work because of OpenSSH's pre/postauth split.

-d

On 8/1/2019 8:22 PM, Damien Miller wrote:
> On Thu, 1 Aug 2019, Carl Jenkins wrote:
> 
>> Hi,
>>
>> I?m trying to develop a PAM module with OpenSSH, and I realized I need
to
>> retrieve something in a later stage that was saved in another previous
>> stage. As far as my tests on OpenSSH 7.6 go, the password auth route
goes
>> through PAM auth, account, session, and the session stage is in a
different
>> UNIX process from the process where auth and account take place. For
the
>> key auth route, auth stage is bypassed in favor of the AuthorizedKeys
or
>> AuthorizedKeysCommand (in its own process) mechanisms, while PAM
account
>> and session stages are in the same process. Is this correct?
>>
>> I?m aware of https://bugzilla.mindrot.org/show_bug.cgi?id=2548, which
>> correspond to the password route. Key route doesn?t seem to agree with
it.
>> Regardless, I haven?t seen fixes around it.
>>
>> And in either auth route, what do the two processes share uniquely for
the
>> same login attempt, like a session ID that I can extract?
> 
> I think the PAM environment might persist between stages, but
> get/put_item doesn't work because of OpenSSH's pre/postauth split.
I have not looked at this in a few years.

Sounds similar to an AFS Process Authentication Group (PAG). A PAG is setup so
all
processes in a session can share network credentials i.e. AFS tokens based on
kerberos tickets.(DCE did something similar.) The PAG and the AFS tokens are
maintained in the kernel. This allows access to network resources based on being
a member of the PAG, and not on the UID on the local machine. SSH would forward
Kerberos tickets, that would be used to acquire AFS tokens.

https://docs.openafs.org/AdminGuide/HDRWQ63.html#HDRWQ64
https://docs.openafs.org/Reference/1/pagsh.html

http://pubs.opengroup.org/onlinepubs/9668899/chap1.htm

https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

Depending on your security requirements you could set an environment variable
that gets passed to each process.

This may or may not work, take the PID of the current process and use the PPID
to find the SSHD process repeat if needed. Use PID of the SSH process.

> 
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
-- 

  Douglas E. Engert  <DEEngert at gmail.com>