Bug 6839 - enable PAM user switching in GSI-OpenSSH (for MyProxy-enabled PAM module)
: enable PAM user switching in GSI-OpenSSH (for MyProxy-enabled PAM module)
Status: VERIFIED FIXED
: GSI-OpenSSH
GSI-OpenSSH
: 4.2.0
: All All
: P3 enhancement
: ---
Assigned To:
: http://wiki.ngs.ac.uk/index.php?title...
:
:
:
  Show dependency treegraph
 
Reported: 2009-08-18 03:54 by
Modified: 2009-10-01 07:29 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2009-08-18 03:54:28
Hi,

We've developed a LinuxPAM module which, in conjunction with a minor patch to
GSI-OpenSSH, allows a user to connect using *any* SSH-enabled client as long as
the user has previously uploaded a credential to a MyProxy server. The user
simply uses the username and password to this credential to gain access.

More details on the implementation are available here:

http://wiki.ngs.ac.uk/index.php?title=KGSISSHD

Feel free to contact me if you need any more information.

Kind Regards

Kevin Haines
------- Comment #1 From 2009-08-18 08:54:35 -------
Thanks Kevin. I'll review the patch for inclusion in gsi_openssh_4.7.
------- Comment #2 From 2009-08-18 09:08:05 -------
Specifically the task is to integrate one of the patches from
https://bugzilla.mindrot.org/show_bug.cgi?id=1215
into GSI-OpenSSH for PAM user switching, to allow Kevin's PAM module to switch
usernames according to local DN mappings.

I've updated the summary to reflect this.
------- Comment #3 From 2009-08-19 15:08:29 -------
Patches committed to CVS trunk:
http://lists.globus.org/pipermail/gsi-openssh-commit/2009-August/000159.html

Next steps:
* Merge to GPT branch.
* Send Kevin a pre-release to test.
------- Comment #4 From 2009-08-31 15:00:21 -------
Kevin, could you please try installing
http://www.ncsa.uiuc.edu/~jbasney/gsi_openssh-4.6-src.tar.gz
and let me know if it works with KGSISSHD?
If you already have v4.6 installed, you'll need to do 'gpt-build -force' to
upgrade.
This version incorporates the PAM user switching patch.
I plan to release it as v4.7 once you give the OK.
Thanks. -Jim
------- Comment #5 From 2009-09-03 08:17:19 -------
Hi Jim,

Thanks, I'll build and test tomorrow or Monday.

Cheers

Kevin
------- Comment #6 From 2009-09-03 09:02:32 -------
(In reply to comment #5)
> Thanks, I'll build and test tomorrow or Monday.

Excellent. Be sure to set "PermitPAMUserChange yes" in
$GLOBUS_LOCATION/etc/ssh/sshd_config.
------- Comment #7 From 2009-09-04 09:24:14 -------
Hi Jim,

I had to do a couple of tweaks to get it to compile (see below) but otherwise -
it works fine, thanks!

Cheers

Kevin

servconf.c:402 needs a comma on the end of the line.

gss-serv.c:556: Add:
int ret;


Can I also suggest the following change to monitor.c. When PAM changes the
username under control of the MyProxy PAM module, the name of the MyProxy
credential is visible in a 'ps' listing. This patch is a little rough, but will
hide the supplied credential name when PermitPAMUserChange is set to Yes (might
it be better to have a dedicated option for this e.g. HidePAMUserChange?).

monitor.c:683
#ifdef USE_PAM
        if (options.permit_pam_user_change)
                setproctitle("%s [priv]", pwent ? "pam_chgd" : "unknown");
        else
#endif
------- Comment #9 From 2009-09-11 10:17:29 -------
GSI-OpenSSH 4.7 released today.
------- Comment #10 From 2009-10-01 01:56:59 -------
Hi Jim,

I've tested the release on RH4, 64 bit - works like a charm ;-)

Many thanks

Kevin Haines
------- Comment #11 From 2009-10-01 07:29:29 -------
Excellent. Thanks Kevin for the confirmation.