Package: libpam-ssh
Version: 2.3+ds-2
Severity: normal
Tags: patch
Dear Maintainer,
* What led up to the situation?
`ssh -a` into a host with libpam-ssh installed
* What was the outcome of this action?
The remote shell had SSH_AUTH_SOCK set to a preexisting socket from
another login. A new forwared socket was aslo present. Pointing
SSH_AUTH_SOCK to the new socket gave access to the forwared agent.
* What outcome did you expect instead?
SSH_AUTH_SOCK should point to the socket of the forwared agent.
Attached patch fixes the problem by omiting `session optional pam_ssh.so`
from /etc/pam.d/sshd.
-- System Information:
Debian Release: 11.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.57-blaulicht (SMP w/6 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libpam-ssh depends on:
ii libc6 2.31-13
ii libpam-runtime 1.4.0-9
ii libpam0g1.4.0-9
ii libssl1.1 1.1.1k-1
Versions of packages libpam-ssh recommends:
pn libpam-tmpdir
ii openssh-client [ssh-client] 1:8.4p1-5
libpam-ssh suggests no packages.
--- /etc/pam.d/sshd 2014-08-05 17:19:26.0 +0200
+++ tmp/sshd2021-09-24 13:18:58.546744537 +0200
@@ -25,7 +25,13 @@
sessionoptional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
-@include common-session
+#@include common-session
+# 2021-09-24 SiB: inlined without pam_ssh
+session[default=1] pam_permit.so
+sessionrequisite pam_deny.so
+sessionrequiredpam_permit.so
+sessionrequiredpam_unix.so
+#session optionalpam_ssh.so
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
