search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
594 stars 245 forks source link

`proxy` provider does not support `session` target #7662

Open ericnorris opened 17 hours ago

ericnorris commented 17 hours ago

When using the following sssd.conf snippet:

[domain/foo]
auth_provider    = proxy
proxy_pam_target = foo

...and the following PAM service configuration at /etc/pam.d/foo:

session required pam_exec.so <some binary>

...we notice that sssd's PAM proxy does not appear to execute the specified session module.

This may be because proxy_auth seems to ignore SSS_PAM_OPEN_SESSION and SSS_PAM_CLOSE_SESSION: https://github.com/SSSD/sssd/blob/ed666e9fa8d5be66700d69186c2edb350df5816f/src/providers/proxy/proxy_auth.c#L775-L779

Interestingly proxy_child does seem to support both, however: https://github.com/SSSD/sssd/blob/ed666e9fa8d5be66700d69186c2edb350df5816f/src/providers/proxy/proxy_child.c#L248-L253

I'm not sure if this is a feature request or a bug, since sssd's own code references session modules in proxy_pam_target tests: https://github.com/SSSD/sssd/blob/ed666e9fa8d5be66700d69186c2edb350df5816f/src/tests/multihost/alltests/sssdproxyldap#L4

In either case, it'd be nice if session modules worked with the proxy_pam_target.

ericnorris commented 17 hours ago

Here are some additional logs that seem to indicate that sssd is skipping SSS_PAM_OPEN_SESSION:

Oct 18 15:22:06 test-20241018 sssd_be[8956]: command: SSS_PAM_OPEN_SESSION
Oct 18 15:22:06 test-20241018 sssd_be[8956]: domain: foo
Oct 18 15:22:06 test-20241018 sssd_be[8956]: user: <redacted>
Oct 18 15:22:06 test-20241018 sssd_be[8956]: service: sshd
Oct 18 15:22:06 test-20241018 sssd_be[8956]: tty: ssh
Oct 18 15:22:06 test-20241018 sssd_be[8956]: ruser:
Oct 18 15:22:06 test-20241018 sssd_be[8956]: rhost: <redacted>
Oct 18 15:22:06 test-20241018 sssd_be[8956]: authtok type: 0 (No authentication token available)
Oct 18 15:22:06 test-20241018 sssd_be[8956]: newauthtok type: 0 (No authentication token available)
Oct 18 15:22:06 test-20241018 sssd_be[8956]: priv: 1
Oct 18 15:22:06 test-20241018 sssd_be[8956]: cli_pid: 20261
Oct 18 15:22:06 test-20241018 sssd_be[8956]: logon name: not set
Oct 18 15:22:06 test-20241018 sssd_be[8956]: flags: 0
Oct 18 15:22:06 test-20241018 sssd_be[8956]: Target session is not configured
Oct 18 15:22:06 test-20241018 sssd_be[8956]: sssd.dataprovider.pamHandler: Success

These logs seem to come from here: https://github.com/SSSD/sssd/blob/ed666e9fa8d5be66700d69186c2edb350df5816f/src/providers/data_provider/dp_target_auth.c#L69-L80

...and further down, it looks like SSS_PAM_CLOSE_SESSION is more directly ignored: https://github.com/SSSD/sssd/blob/ed666e9fa8d5be66700d69186c2edb350df5816f/src/providers/data_provider/dp_target_auth.c#L87-L92

ericnorris commented 11 hours ago

Upon closer inspection, Target session is not configured seems to be due to not defining a session_provider. Defining session_provider = proxy, however, fails since sssm_proxy_session_init is not defined in proxy_init.c.

Based on this understanding, I believe this is a feature request to: