Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose authentication information to PAM [Bug 2408] #47

Closed
wants to merge 17 commits into from
Closed

Expose authentication information to PAM [Bug 2408] #47

wants to merge 17 commits into from

Conversation

Feandil
Copy link
Contributor

@Feandil Feandil commented Jul 1, 2016
edited

This PR is a code proposal to resolve bug 2408
It contains the same code as the patch attached to the bug on 2016/07/01, but as atomic patches, for a simpler review.

Feandil and others added 17 commits July 1, 2016 09:17
@Feandil
Store details about successful auth methods
6247715
@Feandil
Export auth_details to child env as SSH_USER_AUTH
a59b4fd
@Feandil
Expose auth_details to pam via "SSH_USER_AUTH"
62fd706 
Whenever the pam device is called, update the "SSH_USER_AUTH" PAM
environment variable (Doing it outside this module exposes us to a NULL
sshpam_handle).

When a session will be later created, this variable, still part of the
PAM environment variable will be copied to the child environment before
being overriden by the latest value stored in auth_details. As a result,
using the same variable name as the final one is key to prevent the
final environment to be poluted with an outdated value.
@Feandil
Extract pubkey_format from pubkey_auth_info
5e40cf5
@Feandil
auth2-pubkey: fill last_details on success
c7919e8
@Feandil
auth2-hostbased: fill last_details on success
c0c71f6
@Feandil
privsep: Expose success auth methods
f11882e 
Unfortunately, in the monitor thread, not the same amount of data is
available when an key-base authentication succeed. It could be possible
to extract the key information of all key that pass through
mm_answer_keyverify, but linking it to the authentication success would
be dangerous.

Simply exposing the successul methods would already be a progress
@Feandil
Mention SSH_USER_AUTH in the man page
2dbc57b
@Feandil
Fix memory leak in pubkey_auth_info
b1f2fcf 
Bug introduced by c087cdf
@Feandil
Move pubkey_format@auth.h to sshkey_format_oneline@sshkey.h
c680cf6
@Feandil
Privsep: expose detailed information for sshkey auth
23bbff3
@Feandil
New function: ssh_gssapi_get_displayname
4183a77
@Feandil
Expose displayname for gssapi logins
0a4901c
@Feandil
Always clean last_details, even for authentication failures
6c40d1b 
last_details is supposed to be only filled on authentication success, but may
be incorrectly filled in the future. This patch make sure that this field is
cleaned even on authentication failures to make sure than even incorrect
authentication modules cannot polute the SSH_USER_AUTH string for another
module
@Feandil
Add ExposeAuthenticationMethods configuration option
3f269a6
@Feandil
Allow ExposeAuthenticationMethods to be used in 'Match' blocks
69dac0f
@Feandil
ExposeAuthenticationMethods: change default to 'never'
886735d
@djmdjm
Copy link
Contributor

djmdjm commented Feb 10, 2018

Something similar has been committed

@djmdjm djmdjm closed this Feb 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@Feandil @djmdjm