ssh vs. scp in custom PAM module

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


- here my question again,
   this time with more background detail :)

- I implement a custom PAM lib

- two linux boxes A and B; B runs an Openssh server
- use case 1: ssh login from A to B
- use case 2: scp files from A to B

- in case of the ssh login I want to give the user an info text
   to read;  user has to confirm typing "yes";
   then, and only then, login is allowed

- the code works, but the side effect is to have to type "yes"
   also in case of the scp transfer; which is not wanted and not
   possible because of a bunch of automated scp based stuff

---> I have to distinguish inside my custom PAM code;
    tried  getenv("SSH_CLIENT") / getenv("SSH_TTY"),
   but both are "null" at the time I call my custom lib
   (latest inside the "auth" section of the config file)

?? any other idea what could be used to differntiate ??


Re: ssh vs. scp in custom PAM module

Quoted text here. Click to load it

Define "a custom PAM lib"

Quoted text here. Click to load it

Did you actually mean "a custom PAM module"?

Quoted text here. Click to load it

You can't - scp basically uses ssh (meaning the ssh program itself) as a
pipe to start and communicate with another scp instance on the server.
It's like running "ssh user@host ls": all sshd knows is that it should
run a certain command instead of opening a pty and forking a shell - and
it doesn't even figure *that* out until *after* authentication is

You can differentiate on pam_user if you use different users for the
automated transfers.  If permissions are an issue, use aliases - i.e.
users with the same UID as other users, like the classic BSD "toor"
user.  I would recommend implementing this as module options, so you can
specify which users or groups to include or exclude in pam.conf, instead
of hardcoding them.  If you're on a system that uses OpenPAM instead of
Linux-PAM, the openpam_get_option() function makes that very easy;
otherwise, you have to use getopt() or similar to process the argc /
argv you get from the stack.

Dag-Erling Smørgrav -

Re: ssh vs. scp in custom PAM module

Uwe Drekert wrote:
Quoted text here. Click to load it

One possibility (maybe) would be to run two sshd in different ports with
different configuration, one using PAM and the other not.

There is a SendEnv option but it probably does not work since the PAM module
runs during the authentication and at that stage the environment is not
setup yet.


Site Timeline