SSH – Steps the System Goes Through When Handling an SSH Connection

pamshellssh

What steps does the system go through when handling an SSH connection?

We try to log in via ssh
sshd starts pam and pam module to authenticate us
Depending on pam configuration, we need to provide username and password (pam checks passwd and shadow files)
pam checks for hosts.allow/deny, /etc/shells, and other things
If everything goes fine we are logged in
???
Shell is started

So my question is what mechanism is responsible for checking which shell is assigned to the user in their passwd file (in step 6)? Is it pam itself, some specific pam module, sshd, or something else? I know that I can replace the passwd file (for checking username and password) by writing a pam module, but how can I replace the passwd file for the shell entry?

Best Answer

As far as I know, PAM doesn't determine the user's shell, this is left to the application. PAM's session modules perform generic actions and checks that must be done for on every login using that particular service. If the application then wants to start a shell, it is free to do so, and will typically look up the shell in the user database.

Assuming your question is about OpenSSH, that's exactly what it does: once the user is authenticated, and the PAM session stuff has been done (if configured to use PAM¹), the ssh server looks up the shell in the user database (directly, not through the PAM library).

The user database isn't limited to /usr/passwd and friends. On Linux (which I assume you're using since you mention shadow), what makes up the user database is determined by the passwd setting in /etc/nsswitch.conf. In multi-computer setups, common additions to the local database are NIS and LDAP. If you want to use a shell that isn't the one in /etc/passwd, this may be what to configure (although it would be a bit strange, and maybe people can offer better suggestions if you tell us what you're trying to accomplish).

If you want to have users without full shell access, the natural solution is to change /etc/passwd to put a restricted shell — perhaps rssh to allow only a few file-copying-type applications such as scp, rsync and cvs. You can also use forced commands in the user's ~/.ssh/authorized_keys file.

If you'd like to see a trace of what the ssh server is doing, start the daemon as ssh -ddd. You can also get the client's view with ssh -vvv, though here the server's view is what will interest you most.

¹ _{OpenSSH only uses PAM if it is configured with PAM support and the UsePAM directive is set to yes in sshd_config. Even when it uses PAM, it offers other authentication methods in addition to PAM; in particular public key authentication does not go through PAM.}

Related Solutions

Ssh – allow only specific users to login via sshd, but refuse connect to non-listed users

I don't think it is possible to do what you are asking. If you could, someone could "brute force" to find valid usernames on your server. I am also pretty sure that the username and the password are sent simultaneously by the client, you could verify this by capturing packets using Wireshark on an unencrypted SSH connection.

By "hacking activities" I assume you are talking about brute force attempts at passwords. There are many ways to protect yourself from this, I will explain the most common ways.

Disable root login By denying root login with SSH the attacker has to know or guess a valid username. Most automated brute force attacks only try logging in as root.

Blocking IPs on authentication failure Daemons like fail2ban and sshguard monitor your log files to detect login failures. You can configure these to block the IP address trying to log in after a number of failed login attempts. In your case this is what I would recommend. This reduces log spam and strain on your server, as all packets from this IP would be blocked before they reach the sshd daemon. Your could, for example, set fail2ban to block IPs with 3 login failures in the last 5 minutes for 60 minutes. You will in the worst cases see three failed logins in your log every 60 minutes, assuming the attacker does not give up and move on.

Public key authentication You can disable password authentication entirely and only allow clients with specific keys. This is often considered to be the most secure solution (assuming the client keeps his key safe and encrypted). To disable password authentication, add your public key to ~/.ssh/authorized_keys on the server and set PasswordAuthentication to no in sshd_config. There are numerous tutorials and tools to assist with this.

Ssh – PAM failing to authenticate sudo, after successfully contacting ssh-agent

Configuration is OK, but you need to have some identities in your ssh-agent to be able to authorize the sudo operation. You can verify that your agent has some identities using

ssh-add -L

It should print the public keys in your agent and at least one of them should match the public key on server in /etc/security/authorized_keys.

If the agent does not have any identities, you need to add them on your computer, again using

ssh-add [path/to/key]

and insert your passphrase, if prompted.

Best Answer

Related Solutions

Ssh – allow only specific users to login via sshd, but refuse connect to non-listed users

Ssh – PAM failing to authenticate sudo, after successfully contacting ssh-agent

Related Question