pam_ssh / News: Recent posts

I just released a new version of pam_ssh which contains many (or even all) improvements from the Debian package.

• added support for ECDSA keys
• ssh-agent is now spawned in a different improved way
• ssh-agent is not started anymore for users without keys
• support try_first_password PAM option
• still ask for passphrase even if user does not exist
• expect keys used for login in ~/.ssh/login-keys.d directory
  (see README; this behaviour will cause old setups to fail
  since the default keys are not used anymore for auth)
• "keyfiles" option has been removed and all found keys
  which can be opened using the provided passphrase will be
  added to the agent
• alternative keys not used for login purposes and not named
  like the default keys will be decrypted and saved for the
  agent when placed in ~/.ssh/session-keys.d directory
• when there is no controlling tty now use the PID to
  create the session file
• return PAM_SESSION_ERR from within the session part
  instead of PAM_AUTH_ERR
• honour TMPDIR when starting ssh-agent
• start ssh-agent with GID of the group given at
  compile time to the new configure option
  --with-ssh-agent-group

I've migrated the CVS repository into GIT.
All changes since 1.97 are now in GIT only and the CVS repository will be removed soon.

This is a minor maintenance release to fix bugs:

• Under some conditions, there is a double-free bug
  in pam_ssh. The data of the "ssh_agent_env_agent"
  pam_handle_t's item may have been free'd without being
  nullified, which trigger a bug on the cleanup phase.
  (ticket #13 double-free bug with pam_ssh-1.97)
• Before executing ssh-agent, pam_ssh restores root
  privileges with openpam_restore_cred, then uses only setuid
  to adjust privileges. Thus ssh-agent runs with gid 0.
  (ticket #12 pam_ssh doesn't set gid/groups before executing ssh-agent)
• Clear signal mask before executing ssh-agent as
  pam_ssh code can be called from kdm with blocked TERM signal
  which would be inherited by ssh-agent
• fixed crash caused by EOF password
  (ticket 14 pam_ssh segfaults on abort with empty password)

A rough overview what has changed since 1.92 what was the last real release from SourceForge:

- The module is usable now for session use only if wanted. It
starts an ssh-agent without adding keys to it in that case.
- The option to allow blank passphrases is now 'nullok' while the
old option is still available but deprecated.
- The debug option is now really supported as documented.
- We didn't start the ssh-agent if the close_session module
wasn't called correctly but the ssh-agent was killed (e.g.
system crashes). That should be solved in almost all cases now.
- Improved logging
- SECURITY FIX: pam_ssh used a certain prompt if a user found
to exist to ask for the SSH passphrase explicitely depending on
whether the username was valid or invalid, which made it
easier for remote attackers to enumerate usernames.
(CVE-2009-1273)

This version includes a security enhancement that disallows blank passphrases. An option is included for reverting to the old behavior.

This version is more portable about the way it juggles user IDs when starting the agent. As a result, it works on Linux systems. Also, it tries to run as the user rather than root as much as possible. Other portability changes were made as well, and as a result, pam_ssh now works on Mac OS X systems.

This version uses Automake, Autoconf, and Libtool, and seems to work on GNU/Linux systems in addition to FreeBSD. Many contributed bug fixes have been imported, and the OpenSSH code has been updated to 3.4p1. Also, a manual page has been added.

The main new feature in this release is that only one agent process is started per user per host, regardless of the number of concurrent sessions that user has started.

Other changes include a "keyfiles" option to specify which keys to use for authentication and to add to the agent. Also, the OpenSSH code used by pam_ssh was upgraded to 2.9p2.