Teleport: Feature: pam integration?

Created on 1 Feb 2017  路  3Comments  路  Source: gravitational/teleport

Initial Comment

Present motd information on login similar to OpenSSH
https://www.ietf.org/rfc/rfc4252.txt Section 5.4

Proposal

Teleport is going to (optionally) use PAM to create user sessions. This will enable the full pipeline of PAM-driven session customization, which will give us access to all PAM plugins, including motd

feature-request

Most helpful comment

One use case we have for using pam is assigning an "auid" that is process inherited via pam_loginuid.so and we capture this in auditd logs. Allows users to sudo to root while maintaining a trail.

All 3 comments

@Kellel OpenSSH is most distros is actually configured to integrate with pam and it's pam who's displaying motd-like prompt.

Frankly we feel this will only add unneeded complexity because Teleport performs authentication on a cluster-level, i.e. individual nodes can be as dumb as they come (for example people use Teleport to SSH into docker containers randomly flying around).

The utility of pam is somewhat questionable in a clustered environment, where user identity is stored elsewhere and user authentication happens _before the SSH connection is even made_ (at SSH bastion/proxy), see teleport login command which doesn't require a host name: in Teleport world hosts are "dumb cattle". So it's a head scratcher. Do you mind me ask: why are you asking?

But if someone is willing to look into _lightweight_ integration with pam, we're open to accept a decent PR. :-)

I'll mark it as "help wanted".

One use case we have for using pam is assigning an "auid" that is process inherited via pam_loginuid.so and we capture this in auditd logs. Allows users to sudo to root while maintaining a trail.

Was this page helpful?
0 / 5 - 0 ratings