#994992 libpam-ssh: pam-ssh picks the from agent socket after login with ssh -A

Package:
libpam-ssh
Source:
libpam-ssh
Description:
Authenticate using SSH keys
Submitter:
Stephan I . Böttcher
Date:
2024-08-31 16:03:02 UTC
Severity:
critical
#994992#5
Date:
2021-09-24 11:43:00 UTC
From:
To:
Dear Maintainer,

* What led up to the situation?

  `ssh -a` into a host with libpam-ssh installed

* What was the outcome of this action?

  The remote shell had SSH_AUTH_SOCK set to a preexisting socket from
  another login.  A new forwared socket was aslo present.  Pointing
  SSH_AUTH_SOCK to the new socket gave access to the forwared agent.

* What outcome did you expect instead?

  SSH_AUTH_SOCK should point to the socket of the forwared agent.

Attached patch fixes the problem by omiting `session optional pam_ssh.so`
from /etc/pam.d/sshd.
#994992#16
Date:
2021-12-25 16:38:51 UTC
From:
To:
Hello Stephan, thanks for your report.

I guess that your issue is related to issue #995452 . I haved just merged them.

Thanks for the patch. However note that it is not applicable because /etc/pam.d/sshd
is actually distributed along the package `openssh-server` (you can check this wit apt-file(1)).

For a working (but hopefully temporary) workaround you can have a look to the aforementionned
bugreport.

Cheers,
Jerome