Tested on several versions from 8.8p1 right back to 7.4p1 and on different distros (RHEL, Ubuntu)
Issue:
If you use su - to elevate privileges when using the auth suffucient pam_ssh_agent_auth .so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys parameters within /etc/pam.d/su-l it passes the logged on username instead of the user to be elevated to. The result of this is the wrong public key is returned by sss_ssh_authorizedkeys.
Debugging:
It seems to be specific to authorized_keys_command within pam_ssh_agent as I've tried writing a simple bash script which outputs %u and that is returning the wrong user. If you use file=/%h/%u/.ssh/authorized_keys that does return the correct user which makes e think its specific to the command.
Scenario:
User alice with standard privileges logs on from Windows using pageant/PuttyCAC and has a smart card inserted. To do any superuser commands, she has to elevate herself with su - adminalice.
-
SSH connects fine
-
Alice does su - adminalice
-
Authentication starts processing but rejects the authentication by smartcard (returns wrong smartcard inserted within Windows) and reverts to password (the next line down in the pam.d file)
-
When using "debug" in the pam.d/su-l file you can see the following output in /var/log/secure or /var/log/auth.log:
pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand: "/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument: "alice"
-
This should read
pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand: "/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument: "adminalice"
Tested on several versions from 8.8p1 right back to 7.4p1 and on different distros (RHEL, Ubuntu)
Issue:
If you use su - to elevate privileges when using the auth suffucient pam_ssh_agent_auth .so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys parameters within /etc/pam.d/su-l it passes the logged on username instead of the user to be elevated to. The result of this is the wrong public key is returned by sss_ssh_authorizedkeys.
Debugging:
It seems to be specific to authorized_keys_command within pam_ssh_agent as I've tried writing a simple bash script which outputs %u and that is returning the wrong user. If you use file=/%h/%u/.ssh/authorized_keys that does return the correct user which makes e think its specific to the command.
Scenario:
User alice with standard privileges logs on from Windows using pageant/PuttyCAC and has a smart card inserted. To do any superuser commands, she has to elevate herself with su - adminalice.
SSH connects fine
Alice does su - adminalice
Authentication starts processing but rejects the authentication by smartcard (returns wrong smartcard inserted within Windows) and reverts to password (the next line down in the pam.d file)
When using "debug" in the pam.d/su-l file you can see the following output in /var/log/secure or /var/log/auth.log:
pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand: "/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument: "alice"
This should read
pam_ssh_agent_auth: debug1: Running AuthorizedKeysCommand: "/usr/bin/sss_ssh_authorizedkeys" as "alice" with argument: "adminalice"