In order to run ssh daemon service, pam_loginuid
entry has to be set to optional in /etc/pam.d/sshd as described in the official example for Ubuntu 13.10.
Was this entry optional for previous versions of Ubuntu? Did it even exist before Ubuntu 13.10?
What does setting pam_loginuid
to optional
mean, anyway?
Is my ssh configuration much less secure in this respect?
pam_loginuid
is used to set the loginuid
audit attribute of a process when a user logs in through SSH, X, or anything like that. This attribute can then be used by the audit framework for various purposes.
However, setting this audit attributes requires some audit-related capabilities to be enabled; and by default, Docker drops them, so the audit_setloginuid
call will fail.
When the PAM module is configured to required
, such failures are fatal (and PAM prevents the login from going on); while optional
means "go on anyway".
I might be wrong, but I believe that while pam_loginuid
is available in previous versions (I tested with 12.04) it wasn't enabled anyway; so that's why 13.10 and higher require this special setting.
This investigation is too long for a comment. As @jpetazzo indicated, this problem is likely due to lack of the CAP_AUDIT_WRITE
capability. Which apparently affects some versions of Docker and Linux, but not others. So here I'll try to investigate the evolution of this.
- #3015 (2013-12-13, 0.7.2) introduced cap dropping for lxc daemon and included
AUDIT_WRITE
in the list of dropped capabilities
- #5810 (2014-05-16, 0.12.0) made container library drop all capabilities except for whitelisted ones
- #6527 (2014-06-19, 1.0.1) moved from blacklist to whitelist and didn't include
AUDIT_WRITE
in that
- #7179 (2014-07-24, 1.2.0) added the
AUDIT_WRITE
capability to a whitelist
- #20662 (2016-03-19, 1.11.0) moved files around so the setting is now in
oci/defaults_linux.go
So it would seem as though all versions before 0.7.2 and also all versions since 1.2.0 should keep CAP_AUDIT_WRITE
. As I'm seeing pam_loginuid
-related problems with 1.12.5 there might be some other capability involved here.