Handling of PAM sessions
Daniele GMail
d.dario76 at gmail.com
Tue Oct 29 18:54:25 AWST 2024
Hi everyone,
I'm using dropbear v2019.78 and I have a question about the handling of
PAM sessions. From a brief check, it seems that the problem is still
present in v2022.83 but haven't checked on latest source code.
The issue I see is the following: when a connection is created and PAM
is used for authentication, the PAM session handle is not stored. This
makes not possible to listen for PAM session events and so reduces the
possibility to perform auditing like session terminations.
To fix it I have two patches (which apply on 2019.78 but can provide
them also for latest code) which:
1. when a connection is created and PAM is used for authentication,
open also a PAM session and store it so when connection
terminates, we could close it. This way it would be possible to
listen for PAM session events in order to perform auditing.
2. During PAM authentication, show user name even if it is not
valid. This allows to audit for invalid login attempts.
Please let me know if the problem I'm seeing is a misinterpretation of
the code.
Thanks,
Daniele.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-handle-PAM-sessions.patch
Type: text/x-patch
Size: 8189 bytes
Desc: not available
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20241029/6348093e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-show-user-during-auth.patch
Type: text/x-patch
Size: 1196 bytes
Desc: not available
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20241029/6348093e/attachment-0001.bin>
More information about the Dropbear
mailing list