Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TELEPORT_ROLES not available on PAM modules on Ubuntu. #3692

Closed
russjones opened this issue May 11, 2020 · 8 comments
Closed

TELEPORT_ROLES not available on PAM modules on Ubuntu. #3692

russjones opened this issue May 11, 2020 · 8 comments
Assignees
@awly
Labels
PAM Label related to Pluggable Authentication Module (PAM) Submethod.
Milestone
4.3 "Oceanside"

Comments

@russjones
Copy link
Contributor

The TELEPORT_ROLES environment variable is not available on PAM modules on Ubuntu. This prevents correct group assignment.
@benarent benarent added the PAM Label related to Pluggable Authentication Module (PAM) Submethod. label May 11, 2020
@awly awly self-assigned this May 14, 2020
@awly
Copy link
Contributor

awly commented May 15, 2020

Recording some notes:

  • after lots of struggle reproduced the problem on Ubuntu
    • pam_script.so gets all the usual shell env vars and adds a few extras
    • but nothing that we set in teleport before calling libpam is propagated
    • I couldn't find any suspect changes in pam_script.so code, so suspecting libpam itself
  • I was able to plumb our env vars to pam_exec.so

I'll keep digging on possible libpam changes causing this, but also push my changes making pam_exec work.

awly pushed a commit that referenced this issue May 15, 2020
pam: also set teleport-specific env vars via pam_putenv
d09f5ad 
Using `pam_putenv` from `libpam` exposes these env vars to `pam_exec.so`
and possibly other built-in PAM modules. Keep setting them via
`os.Setenv` too, for `pam_script.so` to use.

Updates #3692
@awly
Copy link
Contributor

awly commented May 15, 2020

Oops, I take that back. pam_script.so on Ubuntu 20.04 does work fine.
I had been using a binary where I temporarily removed os.Setenv calls.

@russjones do we know which version of Ubuntu / pam / pam-script.so was causing this issue?

@awly awly mentioned this issue May 15, 2020
Merged
@awly
Copy link
Contributor

awly commented May 19, 2020

Note to self: backport #3725 to 4.2

awly pushed a commit that referenced this issue May 19, 2020
@awly
pam: also set teleport-specific env vars via pam_putenv
8eb624a 
Using `pam_putenv` from `libpam` exposes these env vars to `pam_exec.so`
and possibly other built-in PAM modules. Keep setting them via
`os.Setenv` too, for `pam_script.so` to use.

Updates #3692
awly pushed a commit that referenced this issue May 20, 2020
pam: also set teleport-specific env vars via pam_putenv
225d427 
Using `pam_putenv` from `libpam` exposes these env vars to `pam_exec.so`
and possibly other built-in PAM modules. Keep setting them via
`os.Setenv` too, for `pam_script.so` to use.

Updates #3692
@awly awly mentioned this issue May 20, 2020
Merged
awly pushed a commit that referenced this issue May 20, 2020
@awly
pam: also set teleport-specific env vars via pam_putenv
35bbca7 
Using `pam_putenv` from `libpam` exposes these env vars to `pam_exec.so`
and possibly other built-in PAM modules. Keep setting them via
`os.Setenv` too, for `pam_script.so` to use.

Updates #3692
@awly
Copy link
Contributor

awly commented May 20, 2020

One last touch is to update the docs.
We no longer need to recommend pam_script.so.

awly pushed a commit that referenced this issue May 21, 2020
Remove pam_script.so docs from SSH PAM page
4f048cb 
With #3725 we now populate teleport-specific env vars in a way that's
accessible to `pam_exec.so`. There's no longer any reason to install
pam_script.so separately and duplicate our docs.

Updates #3692
@awly awly mentioned this issue May 21, 2020
Merged
awly pushed a commit that referenced this issue May 21, 2020
@awly
Remove pam_script.so docs from SSH PAM page
fb3a891 
With #3725 we now populate teleport-specific env vars in a way that's
accessible to `pam_exec.so`. There's no longer any reason to install
pam_script.so separately and duplicate our docs.

Updates #3692
awly pushed a commit that referenced this issue May 21, 2020
Remove pam_script.so docs from SSH PAM page
d7621b0 
With #3725 we now populate teleport-specific env vars in a way that's
accessible to `pam_exec.so`. There's no longer any reason to install
pam_script.so separately and duplicate our docs.

Updates #3692
@awly awly mentioned this issue May 21, 2020
Merged
awly pushed a commit that referenced this issue May 21, 2020
@awly
Remove pam_script.so docs from SSH PAM page
204e3f2 
With #3725 we now populate teleport-specific env vars in a way that's
accessible to `pam_exec.so`. There's no longer any reason to install
pam_script.so separately and duplicate our docs.

Updates #3692
@awly awly closed this as completed May 21, 2020
benarent added a commit that referenced this issue Jun 18, 2020
@benarent @webvictim @stevenGravy
Teleport 4.3 Docs (#3423)
3976a99 
* Base fork for 4.3 docs

* [docs] external email identities and Kube Users (#3628)

* Base fork for 4.3 docs

* [docs] external email identities and Kube Users (#3628)

* Remove trailing whitespace from docs files

Some editors will do this automatically on save. This causes a lot of
diffs when editing the docs in such an editor.
Clean them up once now and we'll try to keep it tidy going forward.

* Add make rules for docs whitespace and milv

docs-test-whitespace: checks for trailing whitespace in all .md files
  under docs/.
docs-fix-whitespace: removes trailing whitespace in all .md files under
  docs/.
docs-test-links: runs milv in all docs/ subdirectories that have
  milv.config.yaml.
docs-test: runs whitespace and links tests, used during `make docs`

* Document the new `--use-local-ssh-agent` flag for tsh

The flag is used to bypass the local SSH agent even when it's running.
Specifically, this helps with agents that don't support certs.

The flag was added in #3721

* Remove pam_script.so docs from SSH PAM page

With #3725 we now populate teleport-specific env vars in a way that's
accessible to `pam_exec.so`. There's no longer any reason to install
pam_script.so separately and duplicate our docs.

Updates #3692

* Using the correct --insecure-no-tls flag

* Run docs-fix-whitespace make rule in a busybox container


* Fixes #3414

Co-authored-by: Andrew Lytvynov <[email protected]>
Co-authored-by: Gus Luxton <[email protected]>
Co-authored-by: Steven Martin <[email protected]>
Co-authored-by: Gus Luxton <[email protected]>
@benarent
Copy link
Contributor

I was able to plumb our env vars to pam_exec.so

@awly Do you remember what magic you did to make this work with 20.04. Would i need to update 'pam_exec' or my 'teleport_acct` to get these variables?

@awly
Copy link
Contributor

awly commented Jul 27, 2021

@benarent if you have Ubuntu 20.04, these env vars should be available without extra steps.
what are you trying to do that's missing the env vars?

@benarent
Copy link
Contributor

I was able to get this working with the help of @Valien . It seems the comment stops it from working. Going to debug more and update the docs.

My teleport_acct file (/etc/pam-exec.d):

#!/bin/bash
id -u "${TELEPORT_LOGIN}" &>/dev/null || /usr/sbin/useradd -m "${TELEPORT_LOGIN}" -s /bin/bash 2> /tmp/pam.error
exit 0

My teleport file in /etc/pam.d:

account	required	pam_exec.so	/etc/pam-exec.d/teleport_acct
session	required	pam_motd.so
session	required	pam_exec.so	/bin/bash
session	required	pam_permit.so

@sagardeo2105
Copy link

@benarent did this create the home directory for the user you added?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@awly awly

Labels
PAM Label related to Pluggable Authentication Module (PAM) Submethod.
Projects
None yet
Milestone
4.3 "Oceanside"
Development

No branches or pull requests
5 participants
@benarent @webvictim @awly @russjones @sagardeo2105