Welcome to Soft32 Linux Forums!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

ssh vs. scp in custom PAM module

  
   Soft32 Home -> Linux -> Networking RSS
Next:  Udev not hot-plugging the device...  
Author Message
Uwe Drekert

External


Since: Aug 31, 2009
Posts: 1



(Msg. 1) Posted: Mon Aug 31, 2009 5:20 am
Post subject: ssh vs. scp in custom PAM module
Archived from groups: comp>os>linux>networking, others (more info?)
Hi,

- here my question again,
this time with more background detail Smile

- I implement a custom PAM lib

- two linux boxes A and B; B runs an Openssh server
- use case 1: ssh login from A to B
- use case 2: scp files from A to B

- in case of the ssh login I want to give the user an info text
to read; user has to confirm typing "yes";
then, and only then, login is allowed

- the code works, but the side effect is to have to type "yes"
also in case of the scp transfer; which is not wanted and not
possible because of a bunch of automated scp based stuff

---> I have to distinguish inside my custom PAM code;
tried getenv("SSH_CLIENT") / getenv("SSH_TTY"),
but both are "null" at the time I call my custom lib
(latest inside the "auth" section of the config file)

?? any other idea what could be used to differntiate ??

regards,
Uwe
Back to top
Login to vote
Dag-Erling_Smørgrav

External


Since: Aug 31, 2009
Posts: 1



(Msg. 2) Posted: Mon Aug 31, 2009 7:20 am
Post subject: Re: ssh vs. scp in custom PAM module [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Uwe Drekert <UDrekert RemoveThis @arcor.de> writes:
> - I implement a custom PAM lib

Define "a custom PAM lib"

> - in case of the ssh login I want to give the user an info text
> to read; user has to confirm typing "yes";
> then, and only then, login is allowed

Did you actually mean "a custom PAM module"?

> - the code works, but the side effect is to have to type "yes"
> also in case of the scp transfer; which is not wanted and not
> possible because of a bunch of automated scp based stuff
>
> ---> I have to distinguish inside my custom PAM code;
> tried getenv("SSH_CLIENT") / getenv("SSH_TTY"),
> but both are "null" at the time I call my custom lib
> (latest inside the "auth" section of the config file)
>
> ?? any other idea what could be used to differntiate ??

You can't - scp basically uses ssh (meaning the ssh program itself) as a
pipe to start and communicate with another scp instance on the server.
It's like running "ssh user@host ls": all sshd knows is that it should
run a certain command instead of opening a pty and forking a shell - and
it doesn't even figure *that* out until *after* authentication is
complete.

You can differentiate on pam_user if you use different users for the
automated transfers. If permissions are an issue, use aliases - i.e.
users with the same UID as other users, like the classic BSD "toor"
user. I would recommend implementing this as module options, so you can
specify which users or groups to include or exclude in pam.conf, instead
of hardcoding them. If you're on a system that uses OpenPAM instead of
Linux-PAM, the openpam_get_option() function makes that very easy;
otherwise, you have to use getopt() or similar to process the argc /
argv you get from the stack.

DES
--
Dag-Erling Smørgrav - des RemoveThis @des.no
Back to top
Login to vote
F. Michael Orr

External


Since: Dec 01, 2004
Posts: 11



(Msg. 3) Posted: Mon Aug 31, 2009 9:39 am
Post subject: Re: ssh vs. scp in custom PAM module [Login to view extended thread Info.]
Archived from groups: comp>os>linux>networking (more info?)
On Mon, 31 Aug 2009 15:15:07 +0100, Lusotec wrote:

> Uwe Drekert wrote:
>> - here my question again,
>> this time with more background detail Smile
>>
>> - I implement a custom PAM lib
>>
>> - two linux boxes A and B; B runs an Openssh server - use case 1: ssh
>> login from A to B
>> - use case 2: scp files from A to B
>>
>> - in case of the ssh login I want to give the user an info text
>> to read; user has to confirm typing "yes"; then, and only then,
>> login is allowed
>>
>> - the code works, but the side effect is to have to type "yes"
>> also in case of the scp transfer; which is not wanted and not
>> possible because of a bunch of automated scp based stuff
>>
>> ---> I have to distinguish inside my custom PAM code;
>> tried getenv("SSH_CLIENT") / getenv("SSH_TTY"),
>> but both are "null" at the time I call my custom lib (latest inside
>> the "auth" section of the config file)
>>
>> ?? any other idea what could be used to differntiate ??
>
> One possibility (maybe) would be to run two sshd in different ports with
> different configuration, one using PAM and the other not.
>
> There is a SendEnv option but it probably does not work since the PAM
> module runs during the authentication and at that stage the environment
> is not setup yet.
>
> Regards.

I had a similar problem in that I had to allow scps to a server under a
specific userid, but not allow direct SSH logins. Therefore I had to
have different behavior between SCP and SSH. My solution does not
involve PAM; instead, I created a script in /etc/profile.d/ which gets
called when the user logs in. I check for the existence of the variable
"$SSH_TTY". If this exists, then the user had logged in via SSH, but
isn't in a scp session.
Back to top
Login to vote
Display posts from previous:   
Related Topics:
WiFi browsing for Windows, but not for Linux? - That seems to be the problem a colleague of mine is currently experiencing in France. Details here: ..

Setting up iwlwifi and wpa supplicant on Fedora 7 - Could someone give me the steps (script) to setup iwlwifi for WPA. I have iwlwifi installed from the Fedora..

VPN OpenSwan&Xl2tp problem with big udp packets - Hi all, I'm having a problem with my vpn server using openswan et xl2tp on a gentoo linux. All the tcp traffic seems....

Hacked, now trying to disinfect - Yeah, i know, it can't happen in Linux. But it has been happening to our work servers for several months. Due to poor....

[gentoo-user] coldplug module autoloading, and module opti.. - Hey, I've just finally figured out why I've not been able to get bonding working properly, after a 2 days messing..

"Unable to locate loadable module in module path. . " - I was running a program called Nessus in Redhat 9.0 and it kept giving me the following message: "Gtk-warning**:Un...
       Soft32 Home -> Linux -> Networking All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Categories:
 Windows
  Linux
 Mac
 PDA

[ Contact us | Terms of Service/Privacy Policy ]