TL;DR: sed -i ‘s/session required optional’ /etc/pam.d/sshd

I’ve previously posted about failure SSH’ing into a Docker container running an ssh server. The prevailing fix online is to just change UsePAM yes to UsePAM no in the /etc/ssh/sshd_config file. But PAM is useful, and that’s not really a fix.

Thanks to Sean Dilda, I was able to narrow down the line where the actual PAM session stuff was bailing and killing the ssh session – it turns out it’s:

session required

…in the /etc/pam.d/sshd file.

From man pam_loginuid:

The pam_loginuid module sets the loginuid process attribute for the process that was authenticated.

Ok, this sounds kind of useful. It’s used for application auditing. However, more Google-ing turns up that Docker explicitly drops the audit-related capabilities1 that are required for this to work, causing an error to be returned to PAM. This means that it’s not ever going to work in a Docker container unless the Docker code is changed. That’s out of my hands, though.

So that leaves us with the TL;DR from above. You can change session require to session optional in the /etc/pam.d/sshd file. This will allow you to continue to use PAM, but skip over the failure to set loginuid process attributes, and continue on with the session without bailing.

This allows the ssh session to be useful, and PAM is still around so you can use Kerberos or other PAM-related stuff inside your container.

Author’s Note

I’m beginning to copy over my technology-related posts from Google+ to this blog, mostly so I have an easy-to-read record of them. This one was originally published on 20 May 2014: SSH In a Docker CentOS Container