SSH_CONNECTION / env variables stuck
Closed this issue · 2 comments
Using pam_script with SSH, it seems that SSH_CONNECTION always contains the same information, in all sessions (same goes for the deprecated SSH_CLIENT environment variable). Logging the environment variables to file shows the same remote ip / remote port combo, no matter where the client connects from.
I am still digging through openssh and pam_script's source to find the culprit, but any assistance / idea would be helpful. I've seen a lot of documentation and examples on the net using SSH_CONNECTION to obtain this information, so I'm wondering if they're all broken or if there's been a change in PAM or SSH.
Using Debian 7.
After some digging, it seems that any examples using SSH_CONNECTION are completely broken.
Only PAM_RHOST is set, anything else just keeps getting inherited and SSH_CONNECTION isn't set when the pam script is called.
When you look at SSH_CONNECTION in a pam script (for example auth, session open/close) you basically get the environment variables active when you restarted the SSHD process.
The solution for me was to add UseDns No to sshd_config and rely on PAM_RHOST for the IP.
If I'm missing something and could have done better (preferrably being able to retrieve the remote port), or if this functionality is something pam_script can do alone based on the information passed to it by SSH, please do let me know.
If you're still wondering, I also ran into this problem. It seems that in older versions of the sshd, the SSH_CONNECTION is set after pam session. But in newer versions (8.4 on Gentoo) the SSH_CONNECTION is available to pam_script.