FS#33696 - [openssh] /etc/pam.d/sshd is not integrated with config provided by pambase

Attached to Project: Arch Linux
Opened by Vladimir Vrzić (random) - Monday, 04 February 2013, 06:44 GMT
Last edited by Gaetan Bisson (vesath) - Tuesday, 12 February 2013, 04:04 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

PAM configuration (from pambase Arch package) follows a certain hierarchy. The design seems to be originally copied from Gentoo's pambase, or it was the other way around, but the layout is the same. For example, for login(1) you have a config file called 'login' which adds some login(1)-specific modules, and then includes 'system-local-login' for all four management groups that PAM provides (auth, account, password and session). 'system-local-login' in turn, includes 'system-login' for all four mgmt groups, which in turn includes 'system-auth', etc. Other configured local login configs, such as for logging via a DM, also include 'system-local-login' for all mgmt groups. This design makes it easier to deploy authentication changes across all configuration -- if we would want to add a new login module for all login types, we could simply add it to 'system-login'. A mechanism for easy separation of local and remote login config is also provided, via 'system-{local,remote}-login' files.

However, unlike the configs for other services, /etc/pam.d/sshd has been configured as a monolithic config file, constructing it's own module chain, although it should rely on the existing /etc/pam.d/system-remote-login file from pambase. More than half of the modules listed in sshd are redundant, as they could be provided by existing general PAM login configuration. Furthermore, the file /etc/pam.d/system-remote-config seems to be sitting in repositories and on users' hard drives completely unused.

This also has the following consequences:

1) Some of the expected default PAM config is missing from sshd, for example it doesn't load pam_shells.so module to check user's login shell against /etc/shells.

2) Global changes to PAM configuration (those that affect all login mechanisms) require a separate update of the openssh package, along with the update of pambase package. And two separate tickets in the tracker.

For these reasons, I'm filing this as a bug and not as a feature request.

Proposed solution: we could remove all the redundant modules that will get loaded down the chain from sshd, and include system-remote-login at the end, which will pick them up eventually.

After these changes, the new /etc/pam.d/sshd would look like this:

#%PAM-1.0
#auth required pam_securetty.so #Disable remote root
account required pam_time.so
session required pam_unix_session.so
session required pam_limits.so
-session optional pam_ck_connector.so nox11

auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login


Additional info:
* package version(s)

openssh 6.1p1-4 and earlier
This task depends upon

Closed by  Gaetan Bisson (vesath)
Tuesday, 12 February 2013, 04:04 GMT
Reason for closing:  Implemented
Additional comments about closing:  openssh-6.1p1-5 in [core]
Comment by Dave Reisner (falconindy) - Monday, 04 February 2013, 12:56 GMT
Seems fine, but a few comments:

1) We don't ship consolekit anymore, so pam-ck-connector has no place here.
2) pam_unix_session is just an old name for pam_unix. There's no need for it since it's part of the stack.
3) You're including system-auth, so why do you need to keep pam_limits and pam_time explicitly?
Comment by Gaetan Bisson (vesath) - Monday, 04 February 2013, 13:50 GMT
Thanks for your detailed report - it seems we missed openssh when /etc/pam.d got revamped. For proper form I'll tag this back as feature request.

Please report any issues with openssh-6.1p1-5 from [testing].
Comment by Vladimir Vrzić (random) - Monday, 04 February 2013, 15:42 GMT
Dave, all points are valid, thanks for the correction.

Gaetan, note that openssh is not the only package whose PAM config is not properly integrated with pambase. Quick look at my /etc/pam.d/ shows at least shadow, util-linux and polkit packages also dropping "flat" config files there.

Loading...