Not running pam_exec from sshd when client runs `ssh -i key.pem`

[ashb]

Thanks for this module - it is exactly what I want!

And I ran it on one instance and it worked.

Then I terminated that one and created a new one (same AMI - ubuntu 18.04 in eu-west-2) and it... didn't work :( Looking at journalctl I didn't see any pam_exec lines.

But if I change the sshd_config from

AuthenticationMethods publickey keyboard-interactive:pam,publickey

to

AuthenticationMethods keyboard-interactive:pam,publickey

Then it does run the script (though as expected I can't log in as I have no password)

In myLog I see this:

Jan 29 21:08:21 ip-10-244-102-148 sshd[7801]: Invalid user ash from x.x.x.x port 55816
Jan 29 21:08:21 ip-10-244-102-148 audit[7802]: SECCOMP auid=4294967295 uid=109 gid=65534 ses=4294967295 pid=7802 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c000003e syscall=13 compat=0 ip=0x7fdf2a2fafed code=0x0
Jan 29 21:08:21 ip-10-244-102-148 kernel: audit: type=1326 audit(1548796101.909:26): auid=4294967295 uid=109 gid=65534 ses=4294967295 pid=7802 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c000003e syscall=13 compat=0 ip=0x7fdf2a2fafed code=0x0

For the hacked config I see

Jan 29 21:09:43 ip-10-244-102-148 sshd[7875]: Invalid user ash from x.x.x.x port 55824
Jan 29 21:09:45 ip-10-244-102-148 useradd[7899]: new group: name=ash, GID=33641
Jan 29 21:09:45 ip-10-244-102-148 useradd[7899]: new user: name=ash, UID=33641, GID=33641, home=/home/ash, shell=/bin/bash
Jan 29 21:09:46 ip-10-244-102-148 sshd[7875]: Postponed keyboard-interactive for invalid user ash from 217.169.25.231 port 55824 ssh2 [preauth]
Jan 29 21:09:50 ip-10-244-102-148 sshd[7875]: Connection closed by invalid user ash 217.169.25.231 port 55824 [preauth]

I'm a bit out of my depth in PAM here, I'm not sure how I managed to have it working before and changed nothing much I can point at and it's not working anymore :(

[ashb]

Oh curious. The problem seemed to be caused how I invoked the client: with ssh -i key.pem it didn't create the user:

$ ssh -v -i AshBerlinTaylor.pem y.y.y.y -l ash
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: AshBerlinTaylor.pem
Authentication failed.

Without, falling back to default key:

ssh -v y.y.y.y -l ash
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/ash/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/ash/.ssh/id_dsa
debug1: Trying private key: /Users/ash/.ssh/id_ecdsa
debug1: Trying private key: /Users/ash/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Keymaker: Your user account has been replicated to this host but cannot be used for this session.
Keymaker: Create a new SSH connection.
Password:

If I add both keys to my ssh agent it works. So "problem solved" for me, but I still find this curious.

[kislyuk]

Thank you for reporting this. I'll have to look into this on a fresh install - it's possible that AuthenticationMethods keyboard-interactive:pam,publickey should be the default.