FS#27255 - [openssh] should use pam_systemd.so when under systemd

Attached to Project: Arch Linux
Opened by Marti (intgr) - Friday, 25 November 2011, 19:06 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 15 December 2011, 22:38 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description: openssh's pam entry should invoke pam_systemd.so, so user processes get allocated to their respective user, instead of grouped under the sshd daemon.

The more immediate problem is that when using systemd's sshd.socket approach, systemd kills all processes in the same control group upon disconnection. This breaks 'nohup', 'screen' etc.

Adding the line "-session optional pam_systemd.so" to the PAM file should do the trick

This is already suggested on the wiki: https://wiki.archlinux.org/index.php/Systemd#User_sessions
This task depends upon

Closed by  Gaetan Bisson (vesath)
Thursday, 15 December 2011, 22:38 GMT
Reason for closing:  Implemented
Additional comments about closing:  openssh-5.9p1-5 in [core]
Comment by Gaetan Bisson (vesath) - Saturday, 26 November 2011, 01:39 GMT
Shouldn't this line also go to /etc/pam.d/login then?
Comment by Dave Reisner (falconindy) - Saturday, 26 November 2011, 01:45 GMT
Yes, it should. Ideally, all DMs should be grabbing this module as well.
Comment by Gaetan Bisson (vesath) - Saturday, 26 November 2011, 02:09 GMT
Alright. Could you also file a bug report against the shadow package then?
I will implement that change in openssh in a day or two if nobody argues against it.
Comment by Tom Gundersen (tomegun) - Saturday, 26 November 2011, 08:51 GMT
This makes sense, and would indeed make sure that screen and friends work as expected.

Here is the manpage for your information: http://0pointer.de/public/systemd-man/pam_systemd.html .

I notice that in the manpage the module is "required" rather than "optional", I don't know if this is important (don't understand PAM that well), but maybe worth considering doing that.

Note that implementing this request does not affect systems where systemd is not installed, or even systems where systemd is installed but not used as the initsystem.
Comment by Marti (intgr) - Saturday, 26 November 2011, 11:35 GMT
Opened new task for shadow here: https://bugs.archlinux.org/task/27262
Comment by Marti (intgr) - Saturday, 26 November 2011, 12:08 GMT
> why not "required" rather than "optional"?

Because pam_systemd.so is included with the systemd package -- not all users have installed.
"required" would block login if PAM can't find the module.
Comment by Tom Gundersen (tomegun) - Saturday, 26 November 2011, 12:23 GMT
Not if the line is prefixed with "-" (as it is).
Comment by Christian Hesse (eworm) - Saturday, 26 November 2011, 12:26 GMT
AFAIK prefixing it with "-" is ok if pam_systemd.so is not installed at all. But if you have it install but boot with plain old SysV Init authentication will fail.
Comment by Tom Gundersen (tomegun) - Saturday, 26 November 2011, 12:35 GMT
@eworm: No. Read the pam_systemd man page. If you did not boot with systemd it will always return 0.
Comment by Gaetan Bisson (vesath) - Saturday, 26 November 2011, 12:50 GMT
I've pushed openssh-5.9p1-5 to [testing] with "-session optional pam_systemd.so"; unless there is an actual difference between "optional" and "required", I prefer the former for bikeshedding reasons. :)
Comment by Marti (intgr) - Saturday, 26 November 2011, 12:50 GMT
@tomegun: According to pam.d man page, "-" will only omit the warning message about the missing library. It doesn't change actual behavior

I tested this before posting my last comment. I deleted /lib/security/pam_systemd.so and with the "required" keyword -- even if it's prefixed with '-', PAM forbids me from logging in. Everything keeps working with "optional" though.

Loading...