Ssh – Running a script prior to ssh login … but only once

fedorapamsshsshd

I'm hoping someone can offer some insight on this problem, I found a solution to execute a script before an ssh login. It was done by placing the following line within /etc/pam.d/sshd and allowing pam authentication in /etc/ssh/sshd_config

session    required pam_exec.so /home/pc/myScript.sh

And it worked great, problem I noticed was that after exiting the SSH session the script would run again. This particular behavior completely breaks the purpose my script, is there any way to fix this? I suppose I could write-out/read-from a file on whether its time to execute but I'm wondering if there is a better way.

Additional info

OS is Fedora Server ARM 29
I determined the script ran twice by executing wall on the shell script
Here's my /etc/pam.d/shhd

#%PAM-1.0
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so

### My script
session    required pam_exec.so /home/pc/aScriptThatShouldOnlyRunOncePriorToLogin.sh
###
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

Best Answer

You can use environnement variables available in PAM like $PAM_TYPE

#!/bin/sh
if [ "$PAM_TYPE" != "open_session" ]
    then exit 0
else
    Your script here

Edit: Ref: http://www.linux-pam.org/Linux-PAM-html/sag-pam_exec.html

Related Solutions

PAM – How to Create a Conditional PAM Entry

Here is a solution that works for me. My /etc/pam.d/sudo:

#%PAM-1.0
auth            [success=1]     pam_exec.so    /tmp/test-pam
auth            required        pam_deny.so
auth            include         system-auth
account         include         system-auth
session         include         system-auth

And /tmp/test-pam:

#! /bin/bash
/bin/last -i -p now ${PAM_TTY#/dev/} | \
    /bin/awk 'NR==1 { if ($3 != "0.0.0.0") exit 9; exit 0; }'

I get this behavior:

$ sudo date
[sudo] password for jdoe:
Thu Jun 28 23:51:58 MDT 2018
$ ssh localhost
Last login: Thu Jun 28 23:40:23 2018 from ::1
valli$ sudo date
/tmp/test-pam failed: exit code 9
[sudo] password for jdoe:
sudo: PAM authentication error: System error
valli$

The first line added to the default pam.d/sudo calls pam_exec and, if it succeeds, skips the next entry. The second line just denies access unconditionally.

In /tmp/test-pam I call last to get the IP address associated with the TTY pam was invoked from. ${PAM_TTY#/dev/} removes /dev/ from the front of the value, because last doesn't recognize the full device path. The -i flag makes last show either the IP address or the placeholder 0.0.0.0 if there is no IP address; by default it shows an info string which is much harder to check. This is also why I used last instead of who or w; those don't have a similar option. The -p now option isn't strictly necessary, as we'll see awk is only checking the first line of output, but it restricts last to show only users who are presently logged in.

The awk command just checks the first line, and if the third field isn't 0.0.0.0 it exits with an error. Since this is the last command in /tmp/test-pam, awk's exit code becomes the exit code for the script.

On my system, none of the tests you were trying in your deny-ssh-user.sh would work. If you put env > /tmp/test-pam.log at the top of your script, you'll see that the environment has been stripped, so none of your SSH_FOO variables will be set. And $PPID could point to any number of processes. For example, run perl -e 'system("sudo cat /etc/passwd")' and see that $PPID refers to the perl process.

This is Arch Linux, kernel 4.16.11-1-ARCH, in case it matters. I don't think it should, though.

Best Answer

Related Solutions

PAM – How to Create a Conditional PAM Entry

Related Question