FS#27255 - [openssh] should use pam_systemd.so when under systemd
Attached to Project:
Arch Linux
Opened by Marti (intgr) - Friday, 25 November 2011, 19:06 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 15 December 2011, 22:38 GMT
Opened by Marti (intgr) - Friday, 25 November 2011, 19:06 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 15 December 2011, 22:38 GMT
|
Details
Description: openssh's pam entry should invoke
pam_systemd.so, so user processes get allocated to their
respective user, instead of grouped under the sshd
daemon.
The more immediate problem is that when using systemd's sshd.socket approach, systemd kills all processes in the same control group upon disconnection. This breaks 'nohup', 'screen' etc. Adding the line "-session optional pam_systemd.so" to the PAM file should do the trick This is already suggested on the wiki: https://wiki.archlinux.org/index.php/Systemd#User_sessions |
This task depends upon
Closed by Gaetan Bisson (vesath)
Thursday, 15 December 2011, 22:38 GMT
Reason for closing: Implemented
Additional comments about closing: openssh-5.9p1-5 in [core]
Thursday, 15 December 2011, 22:38 GMT
Reason for closing: Implemented
Additional comments about closing: openssh-5.9p1-5 in [core]
I will implement that change in openssh in a day or two if nobody argues against it.
Here is the manpage for your information: http://0pointer.de/public/systemd-man/pam_systemd.html .
I notice that in the manpage the module is "required" rather than "optional", I don't know if this is important (don't understand PAM that well), but maybe worth considering doing that.
Note that implementing this request does not affect systems where systemd is not installed, or even systems where systemd is installed but not used as the initsystem.
Because pam_systemd.so is included with the systemd package -- not all users have installed.
"required" would block login if PAM can't find the module.
I tested this before posting my last comment. I deleted /lib/security/pam_systemd.so and with the "required" keyword -- even if it's prefixed with '-', PAM forbids me from logging in. Everything keeps working with "optional" though.