Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh
Hello Michael, On Fri, 01 Oct 2021 14:37:44 +0200 Michael Schindler wrote: x On the client machine with libpam-ssh installed, however, this functionality is broken: Instead of forwarding the agent from the server, it sets the environment variables SSH_AUTH_PID and SSH_AUTH_SOCK then point to the freshly started ssh-agent on the client, which has no keys charged. Thus, the login to the next client fails. Basically you say that there a competition between sshd and libpam-ssh. And in fact that this competition is actually not well managed. Actually, I think that there is no policy at all for this situation. Cheers, Jerome -- Jerome BENOIT | calculus+at-rezozer^dot*net https://qa.debian.org/developer.php?login=calcu...@rezozer.net AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B OpenPGP_signature Description: OpenPGP digital signature
Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh
On Mon, 29 Nov 2021 11:19:36 +0100 Jerome BENOIT wrote: Thanks for sharing your file. I will have a closer look soon, Cheers, Jerome ping, cheers, Jerome -- Jerome BENOIT | calculus+at-rezozer^dot*net https://qa.debian.org/developer.php?login=calcu...@rezozer.net AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B OpenPGP_signature Description: OpenPGP digital signature
Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh
Thanks for sharing your file. I will have a closer look soon, Cheers, Jerome OpenPGP_signature Description: OpenPGP digital signature
Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh
Looks like my spam filter ate the notification that you answered, and/or since my post was "additional information only", I did not get a notification in the first place. My /etc/pam.d/sddm: (lines wrapped by email client marked with \) - #%PAM-1.0 # Block login if they are globally disabled authrequisite pam_nologin.so authrequiredpam_succeed_if.so user != root quiet_success # authsufficient pam_succeed_if.so user ingroup nopasswdlogin @include common-auth # gnome_keyring breaks QProcess -auth optionalpam_gnome_keyring.so -auth optionalpam_kwallet5.so -auth optionalpam_ssh.so use_first_pass @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] \ pam_selinux.so close # Create a new session keyring. session optionalpam_keyinit.so force revoke session requiredpam_limits.so session requiredpam_loginuid.so @include common-session # SELinux needs to intervene at login time to ensure that the process \ starts # in the proper default security context. Only sessions which are \ intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] \ pam_selinux.so open -session optional pam_gnome_keyring.so auto_start -session optional pam_kwallet5.so auto_start -session optional pam_ssh.so @include common-password # From the pam_env man page # Since setting of PAM environment variables can have side effects to \ other modules, this module should be the last one on the stack. # Load environment from /etc/environment session requiredpam_env.so # Load environment from /etc/default/locale and ~/.pam_environment session requiredpam_env.so envfile=/etc/default/locale \ user_readenv=1 - And my /etc/pam.d/login: - # # The PAM configuration file for the Shadow `login' service # # Enforce a minimal delay in case of failure (in microseconds). # (Replaces the `FAIL_DELAY' setting from login.defs) # Note that other modules may require another minimal delay. (for \ example, # to disable any delay, you should add the nodelay option to pam_unix) auth optional pam_faildelay.so delay=300 # Outputs an issue file prior to each login prompt (Replaces the # ISSUE_FILE option from login.defs). Uncomment for use # auth required pam_issue.so issue=/etc/issue # Disallows other than root logins when /etc/nologin exists # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible # that a module could execute code in the wrong domain. # When the module is present, "required" would be sufficient \ (When SELinux # is disabled, this returns success.) session [success=ok ignore=ignore module_unknown=ignore default=bad] \ pam_selinux.so close # Sets the loginuid process attribute sessionrequired pam_loginuid.so # Prints the message of the day upon successful login. # (Replaces the `MOTD_FILE' option in login.defs) # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. sessionoptional pam_motd.so motd=/run/motd.dynamic sessionoptional pam_motd.so noupdate # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. Only sessions which are # intended to run in the user's context should be run after this. # pam_selinux.so changes the SELinux context of the used \ TTY and configures # SELinux in order to transition to the user context with the next \ execve() # call. session [success=ok ignore=ignore module_unknown=ignore default=bad] \ pam_selinux.so open # When the module is present, "required" would be sufficient (When \ SELinux # is disabled, this returns success.) # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session required pam_env.so readenv=1 # locale variables are also kept into /etc/default/locale in etch # reading this file *in addition to /etc/environment* does not hurt session required pam_env.so readenv=1 envfile=/etc/default\ /locale # Standard Un*x authentication. @include common-auth # This allows certain extra groups to be granted to a user # based on things like time of day, tty, service, and user. # Please edit /etc/security/group.conf to fit your needs # (Replaces the `CONSOLE_GROUPS' option in login.defs) auth
Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh
On Sun, 3 Oct 2021 03:25:54 +0300 Matti Kurkela wrote: Dear Kurkela, thanks for your report. I apologies for my late reply. Actually I agree with your comments. My current set up on my main computer follows your comment below. So far I can remember, I have never revisited the pam-auth-update(8) configuration file of this package since I begun to maintain it. Meanwhile, note that I put some warning in the README.Debian file. Can you share your /etc/pam.d/login and /etc/pam.d/*dm files so that I can compare with my set up ? The workaround/fix for this would be to not let pam-auth-update add pam_ssh.so into common-auth and common-session, but add the necessary lines *selectively* only to services that handle local logins like /etc/pam.d/login and /etc/pam.d/*dm, but *not* to /etc/pam.d/sshd. That should allow libpam-ssh to start the agent on initial login, but leave the SSH sessions and their agent forwarding alone. If you need the "authentication by SSH key passphrase" functionality on SSH connections, you could add only the "auth optional pam_ssh.so try_first_pass" line to /etc/pam.d/sshd. (Note that this line should not be the first authentication module, to prevent an information leak, as described in the pam_ssh(8) man page.) Cheers, Jerome -- Jerome BENOIT | calculus+at-rezozer^dot*net https://qa.debian.org/developer.php?login=calcu...@rezozer.net AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B
Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh
I am working on it. OpenPGP_signature Description: OpenPGP digital signature
Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh
The workaround/fix for this would be to not let pam-auth-update add pam_ssh.so into common-auth and common-session, but add the necessary lines *selectively* only to services that handle local logins like /etc/pam.d/login and /etc/pam.d/*dm, but *not* to /etc/pam.d/sshd. That should allow libpam-ssh to start the agent on initial login, but leave the SSH sessions and their agent forwarding alone. If you need the "authentication by SSH key passphrase" functionality on SSH connections, you could add only the "auth optional pam_ssh.so try_first_pass" line to /etc/pam.d/sshd. (Note that this line should not be the first authentication module, to prevent an information leak, as described in the pam_ssh(8) man page.)
Bug#995452: libpam-ssh breaks the agent-forwarding of normal ssh
Package: libpam-ssh Version: 2.3+ds-2 Severity: critical Justification: breaks unrelated software Dear Maintainer, I configured and used the ssh-key forwarding of openssh. The mere installation of libpam-ssh on the client machine breaks the functionality of agent-forwarding in openssh: The reason for this is that libpam-ssh launches its own ssh-agent instead of respecting the forward. I have a server with an ssh-agent running and charged with the keys. Server and clients are configured to forward the agent ("ForwardAgent yes" in the config files). This is done by setting the environment variable SSH_AUTH_SOCK appropriately. I can then log from one client to the next, and the key requests are forwarded to the server. On the client machine with libpam-ssh installed, however, this functionality is broken: Instead of forwarding the agent from the server, it sets the environment variables SSH_AUTH_PID and SSH_AUTH_SOCK then point to the freshly started ssh-agent on the client, which has no keys charged. Thus, the login to the next client fails. -- System Information: Debian Release: 11.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libpam-ssh depends on: ii libc6 2.31-13 ii libpam-runtime 1.4.0-9 ii libpam0g1.4.0-9 ii libssl1.1 1.1.1k-1+deb11u1 Versions of packages libpam-ssh recommends: ii libpam-tmpdir0.09+b2 ii openssh-client [ssh-client] 1:8.4p1-5 libpam-ssh suggests no packages. -- no debconf information