https://bugzilla.mindrot.org/show_bug.cgi?id=2408
Vincent Brillault <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Vincent Brillault <[email protected]> --- Created attachment 2754 --> https://bugzilla.mindrot.org/attachment.cgi?id=2754&action=edit Expose successful auth methods via environments (pam and shell) The attached patch exposes the authentication methods that were successful during the authentication to PAM via a PAM environment variable and to the child shell via an environment variable. It is inspired from the PoC written by György Demarcsek and the comments he received but uses a different architecture: - Any Authmethod can fill a "last_details" variable in the Authctxt in case of success. It should fill it with details about the credentials (e.g. RSA fingerprint) - After each success, [email protected] aggregate the method used plus, if existing, this data into a "auth_details" variable in the Authctxt - When creating a new PAM session, export "auth_details" as "SSH_USER_AUTH" - When creating a shell session, export "auth_details" as "SSH_USER_AUTH", overriding if necessary the value coming from PAM - Support Privilege Separation (in a somehow degraded form) I've in fact written 8 atomic patches (aggregated into this one). They are available, with some comments in the commit, on Github: https://github.com/openssh/openssh-portable/compare/master...Feandil:master This patch have been tested on a openssh-7.1p1 with the publickey and keyboard-interactive methods and considering the following Privilege Separation cases: Off, On, Sandbox (seccomp). Some improvement could be build on top of this patch: - Under Privilege Separation, expose details from key authentication - In auth2-gss (in particular gss-serv-krb5) expose details about the credentials (e.g. the kerberos principal) However these improvement seem more complex and could maybe be added in a later patch? -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
