headers
Jov | 6 Jan 2009 14:35
Picon
Favicon

Linux-PAM and saslauthd process reaping conflict


Hello,

my apologies for crossposting. I am unsure which project this should be
fixed in, if not both.

When you use saslauthd with pam_exec.so, a process reaping race is
created. pam_exec.c uses a fork/waitpid combination to run it's child
process and saslauthd has a signal handler for SIGCHLD. If the process
terminates before the waitpid is entered, the SIGCHLD is handled by
saslauthd and pam_exec returns with an error to the pam stack.

I tried fixing it in PAM by restoring the default sighandler but this
did not seem to work (see patch). Perhaps I made a silly mistake or it
has something to do with MT signal handling, I do not know. In any case,
it seems a bad idea for PAM to assume there is no SIGCHLD handler
installed in the parent process.

Eventually, I fixed it by disabling automatic process reaping in
saslautd with the pam authentication mechanism. Afaict, this handler is
not used anyway.

Regards,

Johan Verrept

--
NEW on aXs GUARD: SSL VPN !! (contact your reseller for more info)

---------------------------------------------------
(Continue reading)

Permalink | Reply | 0 comments |
headers
Francesco Di Natale | 8 Jan 2009 18:55
Picon

Mapping username in PAM and OpenSSH

Hello all,

I have been looking in the archives that somebody talks about changing the username by using PAM (http://www.redhat.com/archives/pam-list/2008-November/msg00009.html).

I am facing with the same problem. I would like to access using OpenSSH another machine in which there is a PAM module that carry out a change of user. Let me explain it better. What I am trying to do is:

  1. Through OpenSSH the user inputs as username 'anonymous' and password 'anonymous' too.
  2. The PAM module tries to map 'guest' to 'system' and doesn't mind about the password.
  3. The final result would be to see the prompt showing 'system <at> mycomputer$' and the corresponding folder mounted as the working one.
This is the piece of code that is supposed to make the change of user:

int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char **argv)
{

int retval = pam_set_item(pamh, PAM_USER, "system");
return PAM_SUCCESS;

}

BUT the log says that 'anonymous' is not a valid user and it doesn't log as 'system'. My questions are:

  • Despite the fact that I have created 'anonymous' as user, I haven't been capable of mapping the user 'system' with PAM.
  • I have taking a look to NSS (which is one of the solutions given in the previously mentioned thread) and don't know how does it fit in this structure. Am I wrong?
  • Is OpenSSH fault because it seems that doesn't take into account the change of user?
  • Is user mapping possible in this structure (OpenSSH + PAM)?
I apologize for such a long mail but I just wanted to be accurate.

Thanks a lot
Have a great day






_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 5 comments |
headers
Dan Yefimov | 8 Jan 2009 19:06
Picon

Re: Mapping username in PAM and OpenSSH

On 08.01.2009 20:55, Francesco Di Natale wrote:
> Hello all,
>
> I have been looking in the archives that somebody talks about changing
> the username by using PAM
> (http://www.redhat.com/archives/pam-list/2008-November/msg00009.html).
>
> I am facing with the same problem. I would like to access using OpenSSH
> another machine in which there is a PAM module that carry out a change
> of user. Let me explain it better. What I am trying to do is:
>
>    1. Through OpenSSH the user inputs as username 'anonymous' and
>       password 'anonymous' too.
>    2. The PAM module tries to map 'guest' to 'system' and doesn't mind
>       about the password.
>    3. The final result would be to see the prompt showing
>       'system <at> mycomputer$' and the corresponding folder mounted as the
>       working one.
>
> This is the piece of code that is supposed to make the change of user:
>
> int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char
> **argv)
> {
>
> int retval = pam_set_item(pamh, PAM_USER, "system");
>
> return PAM_SUCCESS;
>
> }
>
>
> BUT the log says that 'anonymous' is not a valid user and it doesn't log
> as 'system'. My questions are:
>
>     * Despite the fact that I have created 'anonymous' as user, I
>       haven't been capable of mapping the user 'system' with PAM.
>     * I have taking a look to NSS (which is one of the solutions given
>       in the previously mentioned thread) and don't know how does it fit
>       in this structure. Am I wrong?
>     * Is OpenSSH fault because it seems that doesn't take into account
>       the change of user?
>     * Is user mapping possible in this structure (OpenSSH + PAM)?
>
That is a feature of OpenSSH. It is OpenSSH that is responsible for setting 
UID/GID and supplementary GIDs before starting user session. pam_set_item(pamh, 
PAM_USER, "system") sets only user name PAM is authenticating as, but OpenSSH 
doesn't check whether PAM_USER was changed during pam_authenticate() or not. 
Questions about OpenSSH are more appropriate in their mailing list.
--

-- 

Sincerely Your, Dan.
Permalink | Reply | 3 comments |
headers
Steve Langasek | 8 Jan 2009 23:45
Picon
Favicon

Re: Mapping username in PAM and OpenSSH

On Thu, Jan 08, 2009 at 09:06:30PM +0300, Dan Yefimov wrote:
>> BUT the log says that 'anonymous' is not a valid user and it doesn't log
>> as 'system'. My questions are:

>>     * Despite the fact that I have created 'anonymous' as user, I
>>       haven't been capable of mapping the user 'system' with PAM.
>>     * I have taking a look to NSS (which is one of the solutions given
>>       in the previously mentioned thread) and don't know how does it fit
>>       in this structure. Am I wrong?
>>     * Is OpenSSH fault because it seems that doesn't take into account
>>       the change of user?
>>     * Is user mapping possible in this structure (OpenSSH + PAM)?

> That is a feature of OpenSSH. It is OpenSSH that is responsible for 
> setting UID/GID and supplementary GIDs before starting user session. 
> pam_set_item(pamh, PAM_USER, "system") sets only user name PAM is 
> authenticating as, but OpenSSH doesn't check whether PAM_USER was changed 
> during pam_authenticate() or not. Questions about OpenSSH are more 
> appropriate in their mailing list.

This is true that OpenSSH is responsible for setting the ids; I would,
however, note that I think it's a (low-priority) bug in the PAM
implementation of OpenSSH that it doesn't honor username mappings from
the PAM stack.

--

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek <at> ubuntu.com                                     vorlon <at> debian.org
Permalink | Reply | 2 comments |
headers
Dan Yefimov | 8 Jan 2009 23:58
Picon

Re: Mapping username in PAM and OpenSSH

On 09.01.2009 1:45, Steve Langasek wrote:
>> That is a feature of OpenSSH. It is OpenSSH that is responsible for
>> setting UID/GID and supplementary GIDs before starting user session.
>> pam_set_item(pamh, PAM_USER, "system") sets only user name PAM is
>> authenticating as, but OpenSSH doesn't check whether PAM_USER was changed
>> during pam_authenticate() or not. Questions about OpenSSH are more
>> appropriate in their mailing list.
>
> This is true that OpenSSH is responsible for setting the ids; I would,
> however, note that I think it's a (low-priority) bug in the PAM
> implementation of OpenSSH that it doesn't honor username mappings from
> the PAM stack.
>
Be it bug or not, anyway, any questions about OpenSSH are appropriate in their 
mailing list. As a member of that list, however, I'd meantion, that that exact 
issue was raised there previously, but OpenSSH developers for the reason, I 
don't remember currently, refused to deal with it. Please refer to that mailing 
list archive for details. My personal opinion about the issue in question is 
that your setup is unreasonably complex.
--

-- 

Sincerely Your, Dan.
Permalink | Reply | 1 comment |
headers
Dan Yefimov | 9 Jan 2009 00:03
Picon

Re: Mapping username in PAM and OpenSSH

On 09.01.2009 1:58, Dan Yefimov wrote:
> On 09.01.2009 1:45, Steve Langasek wrote:
>>> That is a feature of OpenSSH. It is OpenSSH that is responsible for
>>> setting UID/GID and supplementary GIDs before starting user session.
>>> pam_set_item(pamh, PAM_USER, "system") sets only user name PAM is
>>> authenticating as, but OpenSSH doesn't check whether PAM_USER was
>>> changed
>>> during pam_authenticate() or not. Questions about OpenSSH are more
>>> appropriate in their mailing list.
>>
>> This is true that OpenSSH is responsible for setting the ids; I would,
>> however, note that I think it's a (low-priority) bug in the PAM
>> implementation of OpenSSH that it doesn't honor username mappings from
>> the PAM stack.
>>
> Be it bug or not, anyway, any questions about OpenSSH are appropriate in
> their mailing list. As a member of that list, however, I'd meantion,
> that that exact issue was raised there previously, but OpenSSH
> developers for the reason, I don't remember currently, refused to deal
> with it. Please refer to that mailing list archive for details. My
> personal opinion about the issue in question is that your setup is
> unreasonably complex.

BTW, most PAM-aware applications don't check whether PAM_USER was changed during 
pam_authenticate() too.
--

-- 

Sincerely Your, Dan.
Permalink | Reply | 0 comments |
headers
Sascha Ochsenknecht | 15 Jan 2009 20:38
Picon

Action if login happened

Hi,

I would like to execute a command whenever somebody tries to login on a
machine. The command should have following information (via env or
something else):

a) username
b) login successful / login failed
c) if failed -> why? (password wrong or non-existing username)

I played a bit with pam_exec, but I'm not sure how to pass the
information to the command specified with the pam_exec module. I know
that I can get the username from the env PAM_USER. But the other
information?

Another question is in which pam config file (probably common-auth, this
is included by almost every other service) and at which position should
I put the pam_exec module?

Currently I didn't find a solution, maybe somebody can help me!?

Thanks in advance,
Sascha
Permalink | Reply | 2 comments |
headers
Dan Yefimov | 15 Jan 2009 21:10
Picon

Re: Action if login happened

On 15.01.2009 22:38, Sascha Ochsenknecht wrote:
> Hi,
>
> I would like to execute a command whenever somebody tries to login on a
> machine. The command should have following information (via env or
> something else):
>
> a) username
> b) login successful / login failed
> c) if failed ->  why? (password wrong or non-existing username)
>
Generally speaking, that information is written into syslog by majority of 
modules designed for authentication in the case of login failure.

> I played a bit with pam_exec, but I'm not sure how to pass the
> information to the command specified with the pam_exec module. I know
> that I can get the username from the env PAM_USER. But the other
> information?
>
Login success/failure status becomes known only after auth stack is through with 
it's job and only to the calling application. In addition, login failure may be 
caused with account stack. So there is no way to accomplish what you want.
--

-- 

Sincerely Your, Dan.
Permalink | Reply | 0 comments |
headers
Thorsten Kukuk | 15 Jan 2009 22:56
Picon

Re: Action if login happened

On Thu, Jan 15, Sascha Ochsenknecht wrote:

> Hi,
> 
> I would like to execute a command whenever somebody tries to login on a
> machine. The command should have following information (via env or
> something else):
> 
> a) username
> b) login successful / login failed
> c) if failed -> why? (password wrong or non-existing username)

I think what you are looking for is "audit". Use the audit framework
and a Linux-PAM version which is compiled with audit enabled.

  Thorsten

--

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
Permalink | Reply | 0 comments |
headers
Ian jonhson | 28 Jan 2009 03:31
Picon

Re: Mapping username in PAM and OpenSSH

Some work has been done.

The XtreemOS project (http://www.xtreemos.org/) has put
many manpower in OpenSSH to develop the mechanims
via PAM and NSS. Relative publications can be found in

http://www.usenix.org/events/lasco08/tech/full_papers/qin/qin.pdf

The project is now working with Linux community on
opening its source codes.

Hope it will be useful to you.

On 1/9/09, Francesco Di Natale <josimapi <at> gmail.com> wrote:
> Hello all,
>
> I have been looking in the archives that somebody talks about changing the
> username by using PAM
> (http://www.redhat.com/archives/pam-list/2008-November/msg00009.html).
>
> I am facing with the same problem. I would like to access using OpenSSH
> another machine in which there is a PAM module that carry out a change of
> user. Let me explain it better. What I am trying to do is:
>
> Through OpenSSH the user inputs as username 'anonymous' and password
> 'anonymous' too.
> The PAM module tries to map 'guest' to 'system' and doesn't mind about the
> password.
> The final result would be to see the prompt showing 'system <at> mycomputer$' and
> the corresponding folder mounted as the working one.This is the piece of
> code that is supposed to make the change of user:
>
> int pam_sm_authenticate(pam_handle_t *pamh,int flags,int
> argc,const char **argv)
> {
>
> int retval = pam_set_item(pamh, PAM_USER, "system");
> return PAM_SUCCESS;
>
> }
>
>
> BUT the log says that 'anonymous' is not a valid user and it doesn't log as
> 'system'. My questions are:
>
>
> Despite the fact that I have created 'anonymous' as user, I haven't been
> capable of mapping the user 'system' with PAM.
> I have taking a look to NSS (which is one of the solutions given in the
> previously mentioned thread) and don't know how does it fit in this
> structure. Am I wrong?
> Is OpenSSH fault because it seems that doesn't take into account the change
> of user?
> Is user mapping possible in this structure (OpenSSH + PAM)?I apologize for
> such a long mail but I just wanted to be accurate.
>
> Thanks a lot
> Have a great day
>
>
>
>
>
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list <at> redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
Permalink | Reply | 0 comments |

Gmane