jails PAM: How can I apply a pam_jail(8) rule to only a single user?

[Jim L.]

I'm trying set up an SSH service that uses pam_jail to jail a specific user when they authenticate. The following /etc/pam.d/sshd file works great for jailing user userA into the jail rooted in /jail/jailA:

#
#
# PAM configuration for the "sshd" service
#

# auth
#auth       sufficient  pam_krb5.so     no_warn try_first_pass
#auth       sufficient  pam_ssh.so      no_warn try_first_pass
auth        required    pam_unix.so     no_warn try_first_pass

# account
account     required    pam_nologin.so
#account    required    pam_krb5.so
account     required    pam_login_access.so
account     required    pam_unix.so

# session
#session    optional    pam_ssh.so      want_agent
session     required    pam_jail.so     dir=/jail/jailA
session     required    pam_permit.so

# password
#password   sufficient  pam_krb5.so     no_warn try_first_pass
password    required    pam_unix.so     no_warn try_first_pass

The problem is that is also jails any other non-privileged user who authenticates. To fix this, I attempted:

session      required    pam_jail.so     dir=/jail/jailA user=userA

in the hope that PAM would then apply that line ONLY when a user authenticates as userA. There seemed to be no change in behaviour. "userA" was still jailed and so was the other account that I don't want jailed.

What am I missing that's preventing me from applying this pam_jail rule ONLY to that one user?

Ultimately, I am aiming for a small number of power-users to be able to SSH into a small number of jails in a one-to-one fashion:

session            required        pam_jail.so             dir=/jail/jailA user=userA
session            required        pam_jail.so             dir=/jail/jailB user=userB
session            required        pam_jail.so             dir=/jail/jailC user=userC

and any account other than user{A,B,C} shall be logged in to the host, not to a jail.

 

[SirDice]

Reading the pam_jail(8) man page:

If a user's home directory as specified  in  the
       passwd structure	returned by getpwnam(3)	contains the string "/./", the
       user  is	 put into the jail having the portion of the directory name to
       the left	of the string "/./" as its root, and the portion to the	 right
       will  be	the current working directory inside the jail.	Otherwise, the
       directories specified by	the dir	and cwd	options	(see below) are	used.

Thus, as I read this, don't set dir and/or cwd, but set the specific directory in the user's homedir settings on the account. Then it'll apply to that user only.

 

[Jim L.]

Yes, I had been doing that in the past, but ran into some broken symbolic link problems. It's been long enough ago that I don't recall the exact issue. But now that I revisit that method (actually, the home dir already was set with a /./ in the middle), I realize it must have been something else. Still, the man page says either method works, but I simply don't know how to apply a PAM rule to only one specific user.

 

[SirDice]

but I simply don't know how to apply a PAM rule to only one specific user.

PAM modules apply to anyone and everything. If it has any 'selection' it would have to be builtin the module itself, pam_group(8) is a good example of this, it has a parameter that allows selection of a specific group, pam_jail(8) doesn't have anything like that. It would be nice if it has a group parameter, and would only jail users that are members of that specific group. I suspect you're looking for something like that?

 

[Jim L.]

I also recall running across a crude "go to" mechanism where a PAM directive could be crafted to say, in effect, "if the authenticating user is NOT a member of jail_group then skip forward N directives." So everyone else skips ahead N=5 lines in the PAM config, and meanwhile those five lines get applied to the users who ARE in jail_group. Perhaps a couple required checks, and a "sufficient" check last so that if the jail_group users satisfy the "sufficient" rule, they are allowed in without further processing.

Perchance, does anything exist that would be sort of a pam_dump directive, such as:

account required pam_dump.so /tmp/everything-pam-knows-about-your-login.txt

whereby pam would spill its guts every time through the "account" stack (in this example), so that one might trace pam's execution and examine its state variables. Likely something under /var/log would be cleaner, and one certainly wouldn't enable this on a high-volume system. Just dreaming out loud I guess. locate turns up /usr/src/contrib/openpam/bin/openpam_dump_policy/openpam_dump_policy.c but that doesn't look like a pluggable PAM module.

 

[Kai Burghardt]

I also recall running across a crude "go to" […] skip forward N directives. […]

That is the Linux‑PAM implementation. Since FreeBSD version 5.0 we use the OpenPAM implementation which only supports required, requisite, optional, sufficient and binding (see pam.conf(5)).​