dependencies update for rust[>=1.80]

[tombriden]

No description provided.

[tombriden]

Now getting

pam_rssh[1187334]: read_authorized_keys: Failed to get user name

so something still needs fixing

[z4yx]

It works on my test setup. Could you provide logs in debug mode.

[tombriden]

It works on my test setup. Could you provide logs in debug mode.

sudo itself returns

sudo: PAM authentication error: Insufficient credentials to access authentication data
sudo: a password is required

and syslog:

pam_rssh[1509287]: SSH-Agent address: /home/tom/.ssh/ssh_auth_sock
pam_rssh[1509287]: Reading authorized_keys
pam_rssh[1509287]: read_authorized_keys: Failed to get user name
 sudo[1509287]:      tom : PAM authentication error: Insufficient credentials to access authentication data ; TTY=pts/3 ; PWD=/home/tom ; USER=root ; COMMAND=validate

which comes from

let user = pamh.get_user(None).map_err(|_| RsshErr::GetUserErr)?; 

https://github.com/z4yx/pam_rssh/blob/main/src/lib.rs#L39

[duament]

It also works on my NixOS desktop.

my override

{ config, lib, pkgs, self, ... }:
let

  pam_rssh = pkgs.pam_rssh.override (old: {
    rustPlatform.buildRustPackage = x: old.rustPlatform.buildRustPackage (
      x // {
        src = pkgs.fetchFromGitHub {
          owner = "z4yx";
          repo = "pam_rssh";
          rev = "1d5bf963c9b1c5d3298bf563454e08bbeb9700c0";
          hash = "sha256-T2edexuSjLsr7BL/cXwZEiwipplKueKpNNu40n3r4+o=";
          fetchSubmodules = true;
        };
        cargoHash = "sha256-Z+axlIwCll1vrgRXCSiLmQzT84UjTYy6rE2/B2KUB/g=";
      }
    );
  });

in
{
  config = {

    # libpam_rssh
    security.pam.services.sudo.text = lib.mkDefault (lib.mkBefore ''
      auth sufficient ${pam_rssh}/lib/libpam_rssh.so auth_key_file=/etc/ssh/authorized_keys.d/rvfg
    '');
    security.sudo.extraConfig = ''
      Defaults env_keep+=SSH_AUTH_SOCK
    '';

  };
}

[z4yx]

According to pam man pages, PAM_USER can be changed by other modules in pam stack. https://www.man7.org/linux/man-pages/man3/pam_get_item.3.html

Is pam_rssh the first module in your pam.d/sudo config?

[tombriden]

It also works on my NixOS desktop.

this is only an issue when there's no auth_key_file configured

According to pam man pages, PAM_USER can be changed by other modules in pam stack. https://www.man7.org/linux/man-pages/man3/pam_get_item.3.html

Is pam_rssh the first module in your pam.d/sudo config?

i've tried making it the first module and get the same behaviour. my pam config hasn't changed, this only started happening after rebuilding with rust-1.80.1

[tombriden]

digging a bit more, it appears that pam_get_user called from pam-bindings get_user is returning PAM_SUCCESS but the ptr passed to it is still null so an error gets returned. i've no idea why that is though

[tombriden]

have also rebuilt pam with some debug logging, and pamh->user has the correct value. so, for some reason the pointer passed in to pam_get_user isn't being set

also, looks like this crate is no longer maintained so maybe its worth migrating pam_rssh to something else? (anowell/pam-rs#13 (comment))

[z4yx]

I've replaced get_user with get_item, which is the low-level interface. Could you try the branch wip-migrate.

[tombriden]

I've replaced get_user with get_item, which is the low-level interface. Could you try the branch wip-migrate.

Yep, that seems to have fixed it! thanks!

[z4yx]

Great! I think get_item is more appropriate than get_user, because it doesn't prompt for user input when PAM_USER is not set.
I'll merge this PR and apply changes in wip-migrate.