I want to use pam_exec to run a script on an ssh login event.
On a ubuntu base image, appending this pam configuration one liner to /etc/pam.d/sshd.pam
works (after installing openssh):
session optional pam_exec.so seteuid stdout type=open_session /etc/pam-sshd-login-hook.sh
Then I found linuxserver.io openssh-server. Its a lightweight image and makes it easy to configure with public key and user name. Thank you for creating that!
If I run it, ssh with public key auth works:
$ docker run --rm -d --name ac1 -e PUBLIC_KEY -e USER_NAME=dough lscr.io/linuxserver/openssh-server:latest
Now I want to use pam_exec to run a script on an ssh login event.
Interactively, in the ac1
container, I enable PAM in /etc/ssh/sshd_config
:
...
UsePAM yes
KbdInteractiveAuthentication no
...
and restart openssh server:
# s6-svc -r /run/service/openssh-server
But upon ssh from the host machine, the server appears to accept key authentication, but promptly closes the connection before starting a shell session:
$ ssh -vvv -i ~/.ssh/mykey -p 2222 dough@172.18.0.3
debug1: Server accepts key: /home/dough/.ssh/mykey RSA SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFko explicit agent
debug3: sign_and_send_pubkey: RSA SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFko
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFko
debug3: send packet: type 50
Connection closed by 172.18.0.3 port 2222
On ac1
, in /config/logs/openssh/current
, it seems there’s a problem with pam account management: “Authentication service cannot retrieve authentication info”:
2022-09-22 02:16:41.821095711 debug1: /config/.ssh/authorized_keys:1: matching key found: RSA SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFkoM
2022-09-22 02:16:41.821106309 debug1: /config/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwardingM
2022-09-22 02:16:41.821110668 Accepted key RSA SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFko found at /config/.ssh/authorized_keys:1M
2022-09-22 02:16:41.821117354 debug1: restore_uid: (unprivileged)M
2022-09-22 02:16:41.821121394 debug3: mm_answer_keyallowed: publickey authentication: RSA key is allowedM
2022-09-22 02:16:41.821133896 debug3: mm_request_send: entering, type 23M
2022-09-22 02:16:41.821202231 debug3: mm_sshkey_verify: entering [preauth]M
2022-09-22 02:16:41.821204241 debug3: mm_request_send: entering, type 24 [preauth]M
2022-09-22 02:16:41.821208932 debug3: mm_request_receive: enteringM
2022-09-22 02:16:41.821215539 debug3: monitor_read: checking request 24M
2022-09-22 02:16:41.821295607 debug3: mm_answer_keyverify: publickey RSA signature verifiedM
2022-09-22 02:16:41.821300496 debug1: auth_activate_options: setting new authentication optionsM
2022-09-22 02:16:41.821302447 debug3: mm_request_send: entering, type 25M
2022-09-22 02:16:41.821310562 debug3: mm_request_receive_expect: entering, type 102M
2022-09-22 02:16:41.821312128 debug3: mm_request_receive: enteringM
2022-09-22 02:16:41.826582283 debug1: do_pam_account: calledM
2022-09-22 02:16:41.826587001 debug2: do_pam_account: auth information in SSH_AUTH_INFO_0M
2022-09-22 02:16:41.831312509 debug3: PAM: do_pam_account pam_acct_mgmt = 9 (Authentication service cannot retrieve authentication info)M
2022-09-22 02:16:41.831316748 debug3: mm_request_send: entering, type 103M
2022-09-22 02:16:41.831321867 Failed publickey for dough from 172.18.0.1 port 40700 ssh2: RSA SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFkoM
I’ve tried creating a minimal /etc/pam.d/sshd.pam
with:
account include base-account
but no joy. Whether this file exists or not, the behaviour is the same.
Need some help here…
I’m stuck with the pam configuration to run pam_exec.
But the goal is to to run a hook script on an ssh login event. How can we do that?