pam_ssh_agent_auth
pam_ssh_agent_auth copied to clipboard
jbeverly
authorized_keys_command= is passing wrong username argument when used in /etc/pam.d/su-l
Tested on several versions from 8.8p1 right back to 7.4p1 and on different distros (RHEL, Ubuntu)
Issue:
If you use su -
Debugging: It seems to be specific to authorized_keys_command within pam_ssh_agent as I've tried writing a simple bash script which outputs %u and that is returning the wrong user. If you use file=/%h/%u/.ssh/authorized_keys that does return the correct user which makes e think its specific to the command.
Scenario: User alice with standard privileges logs on from Windows using pageant/PuttyCAC and has a smart card inserted. To do any superuser commands, she has to elevate herself with su - adminalice.
-
SSH connects fine
-
Alice does su - adminalice
-
Authentication starts processing but rejects the authentication by smartcard (returns wrong smartcard inserted within Windows) and reverts to password (the next line down in the pam.d file)
-
When using "debug" in the pam.d/su-l file you can see the following output in /var/log/secure or /var/log/auth.log: pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand: "/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument: "alice"
-
This should read pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand: "/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument: "adminalice"
I am wondering if the pam_ssh_agent_auth is designed to be used with the su as you describe. Most of the guides here talk about configuring this in the sudo, where this behavior is expected. The pam_ssh_agent_auth reads PAM_RUSER and if it is not defined, it falls back to the getuid() syscall, which is usually the right thing to do to authenticate a user with sudo, but not with a su.
FYI there is a patch to set PAM_RUSER to work with programs like su(1):
https://github.com/jbeverly/pam_ssh_agent_auth/pull/7
