Dear Maintainer,

I configured and used the ssh-key forwarding of openssh. The mere installation
of libpam-ssh on the client machine breaks the functionality of
agent-forwarding in openssh: The reason for this is that libpam-ssh launches
its own ssh-agent instead of respecting the forward.

I have a server with an ssh-agent running and charged with the keys. Server and
clients are configured to forward the agent ("ForwardAgent yes" in the config
files). This is done by setting the environment variable SSH_AUTH_SOCK
appropriately. I can then log from one client to the next, and the key requests
are forwarded to the server. On the client machine with libpam-ssh installed,
however, this functionality is broken: Instead of forwarding the agent from the
server, it sets the environment variables SSH_AUTH_PID and SSH_AUTH_SOCK then
point to the freshly started ssh-agent on the client, which has no keys
charged. Thus, the login to the next client fails.

The workaround/fix for this would be to not let pam-auth-update add
pam_ssh.so into common-auth and common-session, but add the necessary
lines *selectively* only to services that handle local logins like
/etc/pam.d/login and /etc/pam.d/*dm, but *not* to /etc/pam.d/sshd.

That should allow libpam-ssh to start the agent on initial login, but
leave the SSH sessions and their agent forwarding alone.

If you need the "authentication by SSH key passphrase" functionality on
SSH connections, you could add only the "auth optional pam_ssh.so
try_first_pass" line to /etc/pam.d/sshd. (Note that this line should not
be the first authentication module, to prevent an information leak, as
described in the pam_ssh(8) man page.)

I am working on it.

On Sun, 3 Oct 2021 03:25:54 +0300 Matti Kurkela <Matti.Kurkela@iki.fi> wrote:

Dear Kurkela, thanks for your report.

I apologies for my late reply.

Actually I agree with your comments.
My current set up on my main computer follows your comment below.

So far I can remember, I have never revisited the pam-auth-update(8)
configuration file of this package since I begun to maintain it.

Meanwhile, note that I put some warning in the README.Debian file.

Can you share your /etc/pam.d/login and /etc/pam.d/*dm files so that
I can compare with my set up ?

Cheers,
Jerome

Looks like my spam filter ate the notification that you answered, and/or
since my post was "additional information only", I did not get a
notification in the first place.

My /etc/pam.d/sddm:
(lines wrapped by email client marked with \)

-------------------------
#%PAM-1.0

# Block login if they are globally disabled
auth    requisite       pam_nologin.so
auth    required        pam_succeed_if.so user != root quiet_success

# auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
# gnome_keyring breaks QProcess
-auth   optional        pam_gnome_keyring.so
-auth   optional        pam_kwallet5.so
-auth   optional        pam_ssh.so use_first_pass

@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] \
pam_selinux.so close
# Create a new session keyring.
session optional        pam_keyinit.so force revoke
session required        pam_limits.so
session required        pam_loginuid.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process \
starts
# in the proper default security context.  Only sessions which are \
intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] \
pam_selinux.so open
-session optional       pam_gnome_keyring.so auto_start
-session optional       pam_kwallet5.so auto_start
-session optional       pam_ssh.so

@include common-password

# From the pam_env man page
# Since setting of PAM environment variables can have side effects to \
other modules, this module should be the last one on the stack.

# Load environment from /etc/environment
session required        pam_env.so

# Load environment from /etc/default/locale and ~/.pam_environment
session required        pam_env.so envfile=/etc/default/locale \
user_readenv=1
---------------------------------
And my /etc/pam.d/login:
---------------------------------
#
# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for \ example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient \ (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] \
pam_selinux.so close

# Sets the loginuid process attribute
session    required     pam_loginuid.so

# Prints the message of the day upon successful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional   pam_motd.so motd=/run/motd.dynamic
session    optional   pam_motd.so noupdate

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used \
TTY and configures
# SELinux in order to transition to the user context with the next \
execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] \
pam_selinux.so open
# When the module is present, "required" would be sufficient (When \ SELinux
# is disabled, this returns success.)

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default\ /locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so
-auth      optional   pam_ssh.so try_first_pass

# Uncomment and edit /etc/security/time.conf if you need to set
# time restraint on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# Prints the last login info upon successful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the status of the user's mailbox upon successful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard

# Create a new session keyring.
session    optional   pam_keyinit.so force revoke

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
-session   optional   pam_ssh.so
---------------------------------

Thanks for sharing your file.
I will have a closer look soon,
Cheers,
Jerome

ping,
cheers,
Jerome

Hello Michael,



On Fri, 01 Oct 2021 14:37:44 +0200 Michael Schindler <michael.schindler@espci.fr> wrote:
x On the client machine with libpam-ssh installed,


Basically you say that there a competition between sshd and libpam-ssh.
And in fact that this competition is actually not well managed.
Actually, I think that there is no policy at all for this situation.

Cheers,
Jerome