Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh

2021-12-12 Thread Jerome BENOIT 

Hello Michael,



On Fri, 01 Oct 2021 14:37:44 +0200 Michael Schindler 
 wrote:
x On the client machine with libpam-ssh installed,

however, this functionality is broken: Instead of forwarding the agent from the
server, it sets the environment variables SSH_AUTH_PID and SSH_AUTH_SOCK then
point to the freshly started ssh-agent on the client, which has no keys
charged. Thus, the login to the next client fails.




Basically you say that there a competition between sshd and libpam-ssh.
And in fact that this competition is actually not well managed.
Actually, I think that there is no policy at all for this situation.

Cheers,
Jerome

--
Jerome BENOIT | calculus+at-rezozer^dot*net
https://qa.debian.org/developer.php?login=calcu...@rezozer.net
AE28 AE15 710D FF1D 87E5  A762 3F92 19A6 7F36 C68B



OpenPGP_signature
Description: OpenPGP digital signature

Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh

2021-12-11 Thread Jerome BENOIT 

On Mon, 29 Nov 2021 11:19:36 +0100 Jerome BENOIT  wrote:

Thanks for sharing your file.
I will have a closer look soon,
Cheers,
Jerome


ping,
cheers,
Jerome

--
Jerome BENOIT | calculus+at-rezozer^dot*net
https://qa.debian.org/developer.php?login=calcu...@rezozer.net
AE28 AE15 710D FF1D 87E5  A762 3F92 19A6 7F36 C68B



OpenPGP_signature
Description: OpenPGP digital signature

Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh

2021-11-29 Thread Jerome BENOIT 

Thanks for sharing your file.
I will have a closer look soon,
Cheers,
Jerome



OpenPGP_signature
Description: OpenPGP digital signature

Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh

2021-11-16 Thread Matti Kurkela 



Looks like my spam filter ate the notification that you answered, and/or 
since my post was "additional information only", I did not get a 
notification in the first place.


My /etc/pam.d/sddm:
(lines wrapped by email client marked with \)

-
#%PAM-1.0

# Block login if they are globally disabled
authrequisite   pam_nologin.so
authrequiredpam_succeed_if.so user != root quiet_success

# authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
# gnome_keyring breaks QProcess
-auth   optionalpam_gnome_keyring.so
-auth   optionalpam_kwallet5.so
-auth   optionalpam_ssh.so use_first_pass

@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] \ 
pam_selinux.so close

# Create a new session keyring.
session optionalpam_keyinit.so force revoke
session requiredpam_limits.so
session requiredpam_loginuid.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process \ 
starts
# in the proper default security context.  Only sessions which are \ 
intended

# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] \ 
pam_selinux.so open

-session optional   pam_gnome_keyring.so auto_start
-session optional   pam_kwallet5.so auto_start
-session optional   pam_ssh.so

@include common-password

# From the pam_env man page
# Since setting of PAM environment variables can have side effects to \ 
other modules, this module should be the last one on the stack.


# Load environment from /etc/environment
session requiredpam_env.so

# Load environment from /etc/default/locale and ~/.pam_environment
session requiredpam_env.so envfile=/etc/default/locale \ 
user_readenv=1

-
And my /etc/pam.d/login:
-
#
# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for \ example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth   optional   pam_faildelay.so  delay=300

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth   required   pam_issue.so issue=/etc/issue

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth   requisite  pam_nologin.so

# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient \ (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] \ 
pam_selinux.so close


# Sets the loginuid process attribute
sessionrequired pam_loginuid.so

# Prints the message of the day upon successful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
sessionoptional   pam_motd.so motd=/run/motd.dynamic
sessionoptional   pam_motd.so noupdate

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used \ 
TTY and configures
# SELinux in order to transition to the user context with the next \ 
execve()

# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] \ 
pam_selinux.so open

# When the module is present, "required" would be sufficient (When \ SELinux
# is disabled, this returns success.)

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session   required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session   required   pam_env.so readenv=1 envfile=/etc/default\ /locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth

Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh

2021-11-07 Thread Jerome BENOIT 

On Sun, 3 Oct 2021 03:25:54 +0300 Matti Kurkela  wrote:

Dear Kurkela, thanks for your report.

I apologies for my late reply.

Actually I agree with your comments.
My current set up on my main computer follows your comment below.

So far I can remember, I have never revisited the pam-auth-update(8)
configuration file of this package since I begun to maintain it.

Meanwhile, note that I put some warning in the README.Debian file.

Can you share your /etc/pam.d/login and /etc/pam.d/*dm files so that
I can compare with my set up ?


The workaround/fix for this would be to not let pam-auth-update add 
pam_ssh.so into common-auth and common-session, but add the necessary 
lines *selectively* only to services that handle local logins like 
/etc/pam.d/login and /etc/pam.d/*dm, but *not* to /etc/pam.d/sshd.


That should allow libpam-ssh to start the agent on initial login, but 
leave the SSH sessions and their agent forwarding alone.


If you need the "authentication by SSH key passphrase" functionality on 
SSH connections, you could add only the "auth optional pam_ssh.so 
try_first_pass" line to /etc/pam.d/sshd. (Note that this line should not 
be the first authentication module, to prevent an information leak, as 
described in the pam_ssh(8) man page.)





Cheers,
Jerome

--
Jerome BENOIT | calculus+at-rezozer^dot*net
https://qa.debian.org/developer.php?login=calcu...@rezozer.net
AE28 AE15 710D FF1D 87E5  A762 3F92 19A6 7F36 C68B

Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh

2021-10-26 Thread Jerome BENOIT 

I am working on it.



OpenPGP_signature
Description: OpenPGP digital signature

Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh

2021-10-02 Thread Matti Kurkela 
The workaround/fix for this would be to not let pam-auth-update add 
pam_ssh.so into common-auth and common-session, but add the necessary 
lines *selectively* only to services that handle local logins like 
/etc/pam.d/login and /etc/pam.d/*dm, but *not* to /etc/pam.d/sshd.


That should allow libpam-ssh to start the agent on initial login, but 
leave the SSH sessions and their agent forwarding alone.


If you need the "authentication by SSH key passphrase" functionality on 
SSH connections, you could add only the "auth optional pam_ssh.so 
try_first_pass" line to /etc/pam.d/sshd. (Note that this line should not 
be the first authentication module, to prevent an information leak, as 
described in the pam_ssh(8) man page.)

Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh

2021-10-01 Thread Michael Schindler 
Package: libpam-ssh
Version: 2.3+ds-2
Severity: critical
Justification: breaks unrelated software

Dear Maintainer,

I configured and used the ssh-key forwarding of openssh. The mere installation
of libpam-ssh on the client machine breaks the functionality of
agent-forwarding in openssh: The reason for this is that libpam-ssh launches
its own ssh-agent instead of respecting the forward.

I have a server with an ssh-agent running and charged with the keys. Server and
clients are configured to forward the agent ("ForwardAgent yes" in the config
files). This is done by setting the environment variable SSH_AUTH_SOCK
appropriately. I can then log from one client to the next, and the key requests
are forwarded to the server. On the client machine with libpam-ssh installed,
however, this functionality is broken: Instead of forwarding the agent from the
server, it sets the environment variables SSH_AUTH_PID and SSH_AUTH_SOCK then
point to the freshly started ssh-agent on the client, which has no keys
charged. Thus, the login to the next client fails.


-- System Information:
Debian Release: 11.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpam-ssh depends on:
ii  libc6   2.31-13
ii  libpam-runtime  1.4.0-9
ii  libpam0g1.4.0-9
ii  libssl1.1   1.1.1k-1+deb11u1

Versions of packages libpam-ssh recommends:
ii  libpam-tmpdir0.09+b2
ii  openssh-client [ssh-client]  1:8.4p1-5

libpam-ssh suggests no packages.

-- no debconf information