proxy provider does not support session target

[ericnorris]

When using the following sssd.conf snippet:

[domain/foo]
auth_provider    = proxy
proxy_pam_target = foo

...and the following PAM service configuration at /etc/pam.d/foo:

session required pam_exec.so <some binary>

...we notice that sssd's PAM proxy does not appear to execute the specified session module.

This may be because proxy_auth seems to ignore SSS_PAM_OPEN_SESSION and SSS_PAM_CLOSE_SESSION:

sssd/src/providers/proxy/proxy_auth.c

Lines 775 to 779 in ed666e9

	case SSS_PAM_SETCRED:
	case SSS_PAM_OPEN_SESSION:
	case SSS_PAM_CLOSE_SESSION:
	pd->pam_status = PAM_SUCCESS;
	goto immediately;

Interestingly proxy_child does seem to support both, however:

sssd/src/providers/proxy/proxy_child.c

Lines 248 to 253 in ed666e9

	case SSS_PAM_OPEN_SESSION:
	pam_status=pam_open_session(pamh, 0);
	break;
	case SSS_PAM_CLOSE_SESSION:
	pam_status=pam_close_session(pamh, 0);
	break;

I'm not sure if this is a feature request or a bug, since sssd's own code references session modules in proxy_pam_target tests:

sssd/src/tests/multihost/alltests/sssdproxyldap

Line 4 in ed666e9

session required pam_ldap.so

In either case, it'd be nice if session modules worked with the proxy_pam_target.

[ericnorris]

Here are some additional logs that seem to indicate that sssd is skipping SSS_PAM_OPEN_SESSION:

Oct 18 15:22:06 test-20241018 sssd_be[8956]: command: SSS_PAM_OPEN_SESSION
Oct 18 15:22:06 test-20241018 sssd_be[8956]: domain: foo
Oct 18 15:22:06 test-20241018 sssd_be[8956]: user: <redacted>
Oct 18 15:22:06 test-20241018 sssd_be[8956]: service: sshd
Oct 18 15:22:06 test-20241018 sssd_be[8956]: tty: ssh
Oct 18 15:22:06 test-20241018 sssd_be[8956]: ruser:
Oct 18 15:22:06 test-20241018 sssd_be[8956]: rhost: <redacted>
Oct 18 15:22:06 test-20241018 sssd_be[8956]: authtok type: 0 (No authentication token available)
Oct 18 15:22:06 test-20241018 sssd_be[8956]: newauthtok type: 0 (No authentication token available)
Oct 18 15:22:06 test-20241018 sssd_be[8956]: priv: 1
Oct 18 15:22:06 test-20241018 sssd_be[8956]: cli_pid: 20261
Oct 18 15:22:06 test-20241018 sssd_be[8956]: logon name: not set
Oct 18 15:22:06 test-20241018 sssd_be[8956]: flags: 0
Oct 18 15:22:06 test-20241018 sssd_be[8956]: Target session is not configured
Oct 18 15:22:06 test-20241018 sssd_be[8956]: sssd.dataprovider.pamHandler: Success

These logs seem to come from here:

sssd/src/providers/data_provider/dp_target_auth.c

Lines 69 to 80 in ed666e9

	case SSS_PAM_OPEN_SESSION:
	name = "PAM Open Session";
	if (dp_method_enabled(provider, DPT_SESSION, DPM_SESSION_HANDLER)) {
	target = DPT_SESSION;
	method = DPM_SESSION_HANDLER;
	break;
	}
	target = DP_TARGET_SENTINEL;
	method = DP_METHOD_SENTINEL;
	pd->pam_status = PAM_SUCCESS;
	break;

...and further down, it looks like SSS_PAM_CLOSE_SESSION is more directly ignored:

sssd/src/providers/data_provider/dp_target_auth.c

Lines 87 to 92 in ed666e9

	case SSS_PAM_CLOSE_SESSION:
	target = DP_TARGET_SENTINEL;
	method = DP_METHOD_SENTINEL;
	name = "PAM Close Session";
	pd->pam_status = PAM_SUCCESS;
	break;

[ericnorris]

Upon closer inspection, Target session is not configured seems to be due to not defining a session_provider. Defining session_provider = proxy, however, fails since sssm_proxy_session_init is not defined in proxy_init.c.

Based on this understanding, I believe this is a feature request to:

• amend proxy_init.c to define sssm_proxy_session_init
• amend proxy_auth.c to forward SSS_PAM_OPEN_SESSION and SSS_PAM_CLOSE_SESSION to proxy_child.c
• amend dp_target_auth.c to use a session handler for SSS_PAM_CLOSE_SESSION

[alexey-tikhonov]

Hi.

...we notice that sssd's PAM proxy does not appear to execute the specified session module.

Mind sharing a specific example?

Take a note that out of the box with sssd-2.10+ 'sssd_be' and 'proxy_child' run completely unprivileged.
So it would require some tinkering if <some binary> requires privileges (even if session step would be supported by proxy provider).

[ericnorris]

Hey @alexey-tikhonov,

...we notice that sssd's PAM proxy does not appear to execute the specified session module.

Mind sharing a specific example?

I don't know that a specific example of the PAM proxy not executing a session module is necessary anymore - I noted in my previous comment that you cannot set session_provider = proxy, which I think is the underlying issue.

[alexey-tikhonov]

Still I'm interested in the real use case.
Otherwise it's "patches are welcome".

[ericnorris]

Ah, I see. Our use-case is to integrate a vendor (Smallstep) who provides PAM modules for authenticating with their service. We are currently using SSSD + LDAP, and wanted to continue to use SSSD when we switched to using their PAM backend instead of LDAP.

A part of their PAM setup is a session handler that records user sessions, which provides a nice audit trail. Since SSSD does not support the session module in the proxy provider, we cannot trigger their session handler using the SSSD setup.