2910 – sshd_config Match section - pam functions cannot use stdout?

Bug 2910 - sshd_config Match section - pam functions cannot use stdout?

Summary: sshd_config Match section - pam functions cannot use stdout?

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	7.6p1
Hardware:	amd64 Linux

Importance:	P3 major
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-09-26 07:58 AEST by Akshay
Modified:	2021-03-04 09:53 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Akshay 2018-09-26 07:58:01 AEST

What I'm seeing:
----------------
When a user login hits a "Match" section, the pam modules seem to be unable to use stdout.

Steps to repro:
---------------
I'm running an almost vanilla openssh installation inside a ubuntu:bionic container. In here, I append the following to the bottom of the file:

```
Match Group foobar
	ForceCommand bash

```
Next, I add 2 users to the system, named `foobar` and `bazbaz` .

Next, I add some text to the MOTD file (/etc/motd).

Next, I also modify the /etc/pam.d/sshd config to contain these:
```
session    optional     pam_motd.so noupdate
session    optional     pam_exec.so stdout /bin/echo ECHOECHO
```

So when I log in using `bazbaz` I see that the motd and the stdout message appears (as emitted by the PAM module). Also the PrintLastLog directive kicks in and the last login is also printed.

However when I log in using `foobar` (where the Match directive kicks in) then I see neither the motd, nor the stdout message, nor the lastlog. This leads me to believe that stdout handling is somehow different when the Match is hit. I would have suspected the pam modules (or libpam) but since the LastLog is an `sshd` function, I'm inclined to believing this is somehow related to stdout (hence marking the component as 'sshd').

Not sure if this is a bug or a case of missing documentation.

Comment 1 Akshay 2018-10-09 10:25:07 AEDT

Bumping up importance (P = priority?) to see if I can get some visibility.

Comment 2 Damien Miller 2018-12-07 15:07:23 AEDT

stdout isn't attached in any case. The session modules record the output of the PAM conversation functions at the end of the authentication phase and it is replayed later when the user has an actual channel over which to send them.

The difference is not stdout, but that the login messages are suppressed when a command is executed so as not to pollute the command's stdout.

Comment 3 Akshay 2018-12-20 10:07:32 AEDT

> The difference is not stdout, but that the login messages are suppressed when a command is executed so as not to pollute the command's stdout.

Gotcha. In that case, is there a way to un-suppress those messages? I'm looking to use a `Match` clause along with a ForceCommand to force a particular login shell. When used this way, the login messages cease to work. (I guess I'm in the need for a `ForceShell` if one exists).

Comment 4 Damien Miller 2019-01-22 22:34:30 AEDT

I'm not sure - you *might* be able to use a PAM session session - the messages for these are queued and displayed at login time.

Comment 5 Damien Miller 2020-11-27 14:53:49 AEDT

workaround provided. Please reopen if it doesn't work

Comment 6 Damien Miller 2021-03-04 09:53:28 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle