Skip to content

Refuse to authenticate remote users #384

@Stebalien

Description

@Stebalien

Is your feature request related to a problem?

When SSH is configured to with UsePAM and PAM's SSH service includes pam_u2f, it will attempt to authenticate the user against a local (the server running sshd) u2f token. PAM's SSH service shouldn't include pam_u2f, but PAM service configs are often shared. See, e.g., NixOS/nixpkgs#166076.

Describe the solution that you'd like

Check if PAM_RHOST is set and something other than "localhost". See how pam_fprintd does this:

https://gitlab.freedesktop.org/libfprint/fprintd/-/blob/dffcbfd953f3f73bc96590a2c3c8dc5f4580d5d6/pam/pam_fprintd.c#L815-849

Fprintd also optionally integrates with libsystemd, but I'm not sure if that's strictly speaking required (checking RHOST should be sufficient, as far as I can tell).

Describe the alternatives that you've considered

The alternative is to educate users and/or get distros to fix their PAM configs, but, IMO, it still makes sense to have a sanity check in pam_u2f.

Additional context

I'm happy to submit a PR to check PAM_RHOST (it seems simple enough). Linking in libsystemd requires messing with the build system, so I'm probably not the best person to attempt that.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions