Skip to content

Restore interactive PAM authentication#49487

Merged
rosstimothy merged 1 commit intomasterfrom
tross/pam_auth_fix
Nov 27, 2024
Merged

Restore interactive PAM authentication#49487
rosstimothy merged 1 commit intomasterfrom
tross/pam_auth_fix

Conversation

@rosstimothy
Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy commented Nov 26, 2024
edited
Loading

#29279 caused PAM to deadlock when performing interactive authentication. To restore the previous semblance of functional PAM, this reverts waiting for PAM to be complete if BPF is disabled. #29279 was specifically added to prevent systemd, which may be invoked via a PAM module, from moving the exec subprocess to a different cgroup. Since cgroups are not used outside of Enhanced Session Recording this is a stop-gap measure that can allow most users of PAM to get an immediate restoration of behavior while a more long term and sane approach to performing PAM during the SSH handshake can be considered, evaluated, and tested.

Closes #49028.

Changelog: Restore interactive PAM authentication functionality when use_pam_auth is applied.

@rosstimothy rosstimothy added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v15 backport/branch/v17 labels Nov 26, 2024
@rosstimothy rosstimothy marked this pull request as ready for review November 27, 2024 14:30
@github-actions github-actions Bot requested review from creack and zmb3 November 27, 2024 14:31
creack
creack approved these changes Nov 27, 2024
View reviewed changes
Comment thread lib/srv/sess.go Outdated
espadolini
espadolini reviewed Nov 27, 2024
View reviewed changes
Comment thread lib/srv/sess.go
@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from zmb3 November 27, 2024 18:40
@rosstimothy
Restore interactive PAM authentication
6394d9c 
#29279 caused PAM to
deadlock when performing interactive authentication. To restore
the previous semblance of functional PAM, this reverts waiting
for PAM to be complete if BPF is disabled. #29279 was specifically
added to prevent systemd, which may be invoked via a PAM module,
from moving the exec subprocess to a different cgroup. Since
cgroups are not used outside of Enhanced Session Recording this
is a stop-gap measure that can allow mose users of PAM to get an
immediate restoration of behavior while a more long term and sane
approach to performing PAM during the SSH handshake can be
considered, evaluated, and tested.

Closes #49028.
@rosstimothy rosstimothy added this pull request to the merge queue Nov 27, 2024
Merged via the queue into master with commit a73ce89 Nov 27, 2024
@rosstimothy rosstimothy deleted the tross/pam_auth_fix branch November 27, 2024 19:17
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Nov 27, 2024

@rosstimothy See the table below for backport results.

Branch Result
branch/v15 Failed
branch/v16 Failed
branch/v17 Create PR

@rosstimothy rosstimothy mentioned this pull request Nov 27, 2024
Merged
rosstimothy added a commit that referenced this pull request Nov 27, 2024
@rosstimothy
Restore interactive PAM authentication (#49487)
92cb8ce 
#29279 caused PAM to
deadlock when performing interactive authentication. To restore
the previous semblance of functional PAM, this reverts waiting
for PAM to be complete if BPF is disabled. #29279 was specifically
added to prevent systemd, which may be invoked via a PAM module,
from moving the exec subprocess to a different cgroup. Since
cgroups are not used outside of Enhanced Session Recording this
is a stop-gap measure that can allow mose users of PAM to get an
immediate restoration of behavior while a more long term and sane
approach to performing PAM during the SSH handshake can be
considered, evaluated, and tested.

Closes #49028.
@rosstimothy rosstimothy mentioned this pull request Nov 27, 2024
Merged
rosstimothy added a commit that referenced this pull request Nov 27, 2024
@rosstimothy
Restore interactive PAM authentication (#49487)
3604b33 
#29279 caused PAM to
deadlock when performing interactive authentication. To restore
the previous semblance of functional PAM, this reverts waiting
for PAM to be complete if BPF is disabled. #29279 was specifically
added to prevent systemd, which may be invoked via a PAM module,
from moving the exec subprocess to a different cgroup. Since
cgroups are not used outside of Enhanced Session Recording this
is a stop-gap measure that can allow mose users of PAM to get an
immediate restoration of behavior while a more long term and sane
approach to performing PAM during the SSH handshake can be
considered, evaluated, and tested.

Closes #49028.
@rosstimothy rosstimothy mentioned this pull request Nov 27, 2024
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Nov 27, 2024
@rosstimothy
Restore interactive PAM authentication (#49487) (#49520)
8ea8eb9 
#29279 caused PAM to
deadlock when performing interactive authentication. To restore
the previous semblance of functional PAM, this reverts waiting
for PAM to be complete if BPF is disabled. #29279 was specifically
added to prevent systemd, which may be invoked via a PAM module,
from moving the exec subprocess to a different cgroup. Since
cgroups are not used outside of Enhanced Session Recording this
is a stop-gap measure that can allow mose users of PAM to get an
immediate restoration of behavior while a more long term and sane
approach to performing PAM during the SSH handshake can be
considered, evaluated, and tested.

Closes #49028.
github-merge-queue Bot pushed a commit that referenced this pull request Nov 27, 2024
@rosstimothy
Restore interactive PAM authentication (#49487) (#49519)
eb00c94 
#29279 caused PAM to
deadlock when performing interactive authentication. To restore
the previous semblance of functional PAM, this reverts waiting
for PAM to be complete if BPF is disabled. #29279 was specifically
added to prevent systemd, which may be invoked via a PAM module,
from moving the exec subprocess to a different cgroup. Since
cgroups are not used outside of Enhanced Session Recording this
is a stop-gap measure that can allow mose users of PAM to get an
immediate restoration of behavior while a more long term and sane
approach to performing PAM during the SSH handshake can be
considered, evaluated, and tested.

Closes #49028.
@programmerq programmerq mentioned this pull request Dec 6, 2024
Closed
carloscastrojumo pushed a commit to carloscastrojumo/teleport that referenced this pull request Feb 19, 2025
@rosstimothy @carloscastrojumo
Restore interactive PAM authentication (gravitational#49487)
dc0a07c 
gravitational#29279 caused PAM to
deadlock when performing interactive authentication. To restore
the previous semblance of functional PAM, this reverts waiting
for PAM to be complete if BPF is disabled. gravitational#29279 was specifically
added to prevent systemd, which may be invoked via a PAM module,
from moving the exec subprocess to a different cgroup. Since
cgroups are not used outside of Enhanced Session Recording this
is a stop-gap measure that can allow mose users of PAM to get an
immediate restoration of behavior while a more long term and sane
approach to performing PAM during the SSH handshake can be
considered, evaluated, and tested.

Closes gravitational#49028.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@espadolini espadolini espadolini approved these changes

+1 more reviewer

@creack creack creack approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PAM Auth with interactive input is broken.

3 participants

@rosstimothy @creack @espadolini