Bug#828739: ssh-agent lost on nested ssh sessions

Mon, 27 Jun 2016 09:30:29 -0700 

Hello Again, I am having a closer look.



On 27/06/16 13:02, Harald Dunkel wrote:
> Package: libpam-ssh
> Version: 2.1+ds1-1
> 
> If I ssh to a host "unstable", run "ssh localhost" or
> "ssh `hostname`", and exit the nested ssh session again, then
> the ssh-agent started by pam_ssh at first login time is lost.

Was this issue present for former pam_ssh package ?



> Hard to explain. Sample session:
> 
>       % ssh harri@unstable
> 
>       % tty
>       /dev/pts/6
> 
>       % ps -ef | grep ssh-agen[t]
>       harri     4824     1  0 13:39 ?        00:00:00 ssh-agent
> 
>       % ssh localhost
> 
>       % tty
>       /dev/pts/7
> 
>       % ps -ef | grep ssh-agen[t]
>       harri     4824     1  0 13:39 ?        00:00:00 ssh-agent
> 
>       % exit
>       logout
>       Connection to localhost closed.
> 
>       % ps -ef | grep ssh-agen[t]
> 
>       % tty
>       /dev/pts/6
> 
> The result is that I get a ssh-agent just by chance, depending
> upon the number of logins and the nesting level.
> 
> Here is the pam configuration for ssh.
> grep -v ^\# /etc/pam.d/common-auth :
> 
>       auth    [success=1 default=ignore]      pam_unix.so nullok_secure
>       auth    requisite                       pam_deny.so
>       auth    required                        pam_permit.so
>       auth    optional        pam_ssh.so use_first_pass
>       auth    optional                        pam_cap.so
> 
> grep -v ^\# /etc/pam.d/common-session :
> 
>       session [default=1]                     pam_permit.so
>       session requisite                       pam_deny.so
>       session required                        pam_permit.so
>       session required        pam_unix.so
>       session optional        pam_ssh.so
>       session optional                        pam_ck_connector.so nox11
> 
> egrep -v ^\#\|^\$ /etc/pam.d/sshd :
>       @include common-auth
>       account    required     pam_nologin.so
>       @include common-account
>       session [success=ok ignore=ignore module_unknown=ignore default=bad]    
>     pam_selinux.so close
>       session    required     pam_loginuid.so
>       session    optional     pam_keyinit.so force revoke
>       @include common-session
>       session    optional     pam_motd.so  motd=/run/motd.dynamic
>       session    optional     pam_motd.so noupdate
>       session    optional     pam_mail.so standard noenv # [1]
>       session    required     pam_limits.so
>       session    required     pam_env.so # [1]
>       session    required     pam_env.so user_readenv=1 
> envfile=/etc/default/locale
>       session [success=ok ignore=ignore module_unknown=ignore default=bad]    
>     pam_selinux.so open
>       @include common-password
> 
> 
> Regards
> Harri
>

Reply via email to