Ssh – Can SSH public key authentication use pam_group

authenticationpamssh

I'm configuring some servers to use LDAP (via PAM) to authenticate users. Additionally, I use pam_group to add all users to some system groups like audio/video/vboxusers/….

My PAM configuration works fine with most services (su, login and sudo all take pam_group into account), but not with SSH. Specifically, when I authenticate with a public key, groups are not added from /etc/security/group.conf, but they are when I authenticate with a password.

Looking around, I've found that SSH public key authentication bypasses the PAM stack and sets user credentials by itself, so it ignores PAM-specific configurations such as pam_group. Weirdly, LDAP groups — which are usually set by pam_ldap — are set in all cases, password or no.

I'd like the user experience to be as predictable as possible for my users, so that they're always members of the same set of groups regardless of their authentication method. Is there any way to configure SSH to add groups from /etc/security/group.conf when using pubkey authentication ?

Thanks in advance,

Best Answer

Probably not.

The man page for pam_group says:

Only the auth module type is provided.

And since SSH doesn't use PAM to authenticate when it uses public keys, the auth modules are not used.

As to why pam_group only works as an auth module and not as a session module, I can't say.

Related Solutions

Ssh – Permit root to login via ssh only with key-based authentication

You can do this using the PermitRootLogin directive. From the sshd_config manpage:

Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”. The default is “yes”.

If this option is set to “without-password”, password authentication is disabled for root.

The following will accomplish what you want:

PasswordAuthentication yes
PermitRootLogin without-password

Ssh – Expired password and SSH key based login with UsePAM yes

The order of operations that causes the expired password prompt is as follows:

SSH runs the PAM account stage, which verifies that the account exists and is valid. The account stage notices that the password has expired, and lets SSH know.
SSH performs key-based authentication. It doesn't need PAM for this, so it doesn't run the auth stage. It then sets up the SSH login session and runs the PAM session stage.
Next, SSH remembers that PAM told it the password had expired, prints a warning message, and asks PAM to have the user change the password. SSH then disconnects.

All of this is SSH's doing, and I don't see any SSH options to configure this behavior. So unless you want to build a custom version of SSH and/or PAM, the only option I see is to prevent PAM from reporting the expired password to SSH. If you do this, it will disable expired password checks over SSH entirely, even if the user is logging in over SSH with a password. Other (non-SSH) methods of login will still check password expiration.

Your current pam.d/sshd file has a account include common-account entry. I presume there's a common-account file which contains a reference to pam_unix.so. This is the line that checks for an expired password.

You probably don't want to touch the common-account file itself, since it's used for other login methods. Instead, you want to remove the include from your pam.d/sshd file. If there are other functions in common-account besides pam_unix.so, you probably want to put them directly into pam.d/sshd.

Finally, remember that this is a modification to the security of your system and you shouldn't just blindly trust me to give you good advice. Read up on how PAM works if you're unfamiliar with it. Some starting places might be man 7 PAM, man 5 pam.conf, and man 8 pam_unix.

Best Answer

Related Solutions

Ssh – Permit root to login via ssh only with key-based authentication

Ssh – Expired password and SSH key based login with UsePAM yes

Related Question