Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  login

"Trust me. I know what I'm doing." -- Sledge Hammer

devel / comp.security.ssh / Re: why does PAM authentication (seem to) work without PAM service file ?

SubjectAuthor
* why does PAM authentication (seem to) work without PAM service file ?Thomas Fazekas
`- Re: why does PAM authentication (seem to) work without PAM serviceThomas Fazekas

1
why does PAM authentication (seem to) work without PAM service file ?
  comp.security.ssh
X-Received: by 2002:a05:620a:98c:: with SMTP id x12mr3196393qkx.439.1618491296473;
Thu, 15 Apr 2021 05:54:56 -0700 (PDT)
X-Received: by 2002:a9d:61d2:: with SMTP id h18mr2517520otk.113.1618491296161;
Thu, 15 Apr 2021 05:54:56 -0700 (PDT)
Path: i2pn2.org!i2pn.org!aioe.org!news.uzoreto.com!news-out.netnews.com!news.alt.net!fdc2.netnews.com!peer01.ams1!peer.ams1.xlned.com!news.xlned.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Thu, 15 Apr 2021 05:54:55 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=83.134.100.124; posting-account=q5OU9goAAACU2IV19DY2U-XUcJrYfTua
NNTP-Posting-Host: 83.134.100.124
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <a0a0431a-23bf-40eb-9146-ae924facf45dn@googlegroups.com>
Subject: why does PAM authentication (seem to) work without PAM service file ?
From: thomas.fazekas@gmail.com (Thomas Fazekas)
Injection-Date: Thu, 15 Apr 2021 12:54:56 +0000
Content-Type: text/plain; charset="UTF-8"
X-Received-Bytes: 2217
Xref: rslight2 comp.security.ssh:222
 by: Thomas Fazekas - Thu, 15 Apr 2021 12:54 UTC

Dears,

the other day I wanted to setup an sftp service that I want to keep it separate from the standard ssh service (with in my case is the one provided by Ubuntu 20.04)
Accordingly I've recompiled the OpenSSH sources with : "./configure --prefix=/opt/openssh-8.5p1 --with-pam --with-pam-service=sshcd"

"sshcd" - in my case representing SSH Custom Daemon.

Now, the authentication is suppose to happen via LDAP so on purpose I did NOT provide any sshcd.conf file in /etc/pam.d/ folder, expecting that, at least in the beginning, I will not be able to log in to my shiny new ssh daemon.

To my surprise username/password authentication works, and what's even more puzzling is that if I look in the log I can even see using pam modules :
....
[Apr 15 14:50:14][vm-1][authpriv][sshcd[2191]:][info] pam_unix(sshcd:session): session opened for user test1 by (uid=0)
....
there are more pam related logs so clearly my service is using some pam modules without me providing any configuration.

Again, there is no /etc/pam.d/sshcd.conf
Is there an explanation for this ?

Right now I'm worried about what else works without me wanting it to work ;)

Re: why does PAM authentication (seem to) work without PAM service file ?
  comp.security.ssh
X-Received: by 2002:ac8:5cc4:: with SMTP id s4mr3228556qta.214.1618497313824;
Thu, 15 Apr 2021 07:35:13 -0700 (PDT)
X-Received: by 2002:aca:f5c7:: with SMTP id t190mr2833446oih.100.1618497313531;
Thu, 15 Apr 2021 07:35:13 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Thu, 15 Apr 2021 07:35:13 -0700 (PDT)
In-Reply-To: <a0a0431a-23bf-40eb-9146-ae924facf45dn@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=83.134.100.124; posting-account=q5OU9goAAACU2IV19DY2U-XUcJrYfTua
NNTP-Posting-Host: 83.134.100.124
References: <a0a0431a-23bf-40eb-9146-ae924facf45dn@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <830fbb0e-e5b0-4f73-ab4f-59c3a6dc45fan@googlegroups.com>
Subject: Re: why does PAM authentication (seem to) work without PAM service
file ?
From: thomas.fazekas@gmail.com (Thomas Fazekas)
Injection-Date: Thu, 15 Apr 2021 14:35:13 +0000
Content-Type: text/plain; charset="UTF-8"
Xref: rslight2 comp.security.ssh:223
 by: Thomas Fazekas - Thu, 15 Apr 2021 14:35 UTC

On Thursday, April 15, 2021 at 2:54:57 PM UTC+2, Thomas Fazekas wrote:
> Dears,
>
> the other day I wanted to setup an sftp service that I want to keep it separate from the standard ssh service (with in my case is the one provided by Ubuntu 20.04)
> Accordingly I've recompiled the OpenSSH sources with : "./configure --prefix=/opt/openssh-8.5p1 --with-pam --with-pam-service=sshcd"
>
> "sshcd" - in my case representing SSH Custom Daemon.
>
> Now, the authentication is suppose to happen via LDAP so on purpose I did NOT provide any sshcd.conf file in /etc/pam.d/ folder, expecting that, at least in the beginning, I will not be able to log in to my shiny new ssh daemon.
>
> To my surprise username/password authentication works, and what's even more puzzling is that if I look in the log I can even see using pam modules :
> ...
> [Apr 15 14:50:14][vm-1][authpriv][sshcd[2191]:][info] pam_unix(sshcd:session): session opened for user test1 by (uid=0)
> ...
> there are more pam related logs so clearly my service is using some pam modules without me providing any configuration.
>
> Again, there is no /etc/pam.d/sshcd.conf
> Is there an explanation for this ?
>
> Right now I'm worried about what else works without me wanting it to work ;)

After digging some more in the PAM documentation I believe I've found the answer to my question : http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
Excerpt : "The service-name, other, is reserved for giving default rules."

/etc/pam.d/other - specify the PAM fallback behaviour. This file is used for any unspecified service

1
server_pubkey.txt

rocksolid light 0.9.1
clearnet tor