When remote roles are allowed by PAM configuration, OpenSSH should allow login to a role for hostbased authentication. E.g. - if local user testuser has been assigned role testrole - and hostbased authentication has been configured for remote host - and local PAM account stack lists pam_roles module with option allow_remote - then remote user testuser should be allowed to directly login to testrole
Created attachment 2582 [details] patch implementing login to a role
Steps to reproduce/test ---- On the server: echo 'HostBasedAuthentication yes' >>/etc/ssh/sshd_config echo 'IgnoreRhosts no' >>/etc/ssh/sshd_config svcadm restart ssh roleadd -m testrole useradd -m -R testrole testuser cat >/etc/pam.d/sshd-hostbased <<EOF auth definitive pam_user_policy.so.1 auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_auth.so.1 auth required pam_unix_cred.so.1 account requisite pam_roles.so.1 allow_remote debug account definitive pam_user_policy.so.1 account required pam_unix_account.so.1 account required pam_tsol_account.so.1 session definitive pam_user_policy.so.1 session required pam_unix_session.so.1 @ password definitive pam_user_policy.so.1 @ password include pam_authtok_common @ password required pam_authtok_store.so.1 EOF su - testrole echo '192.168.0.1 testuser' >.shosts ssh testuser@192.168.0.1 # to populate known_hosts ^D On the client: echo 'EnableSSHKeysign yes' >>/etc/ssh/ssh_config useradd -m testuser su - testuser ssh testrole@serverb.tkuthan.oracle.com