FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 07-20-2010, 05:32 PM
Gordon Messmer
 
Default Preventing ssh keys from granting a user access when LDAP account is disabled.

On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote:
> Hi There is a bugzilla raised concerns users still being able to
> login if they have ssh keys even if there ldap account is disabled.

Define "disabled". If your only flag is the userpassword field, you
won't find a good solution to this problem, since that field will never
be used by an ssh session using keys.

I believe you can use pam_access(5) to grant login access only to
members of a group in your directory, and remove users from that group
when you disable their login access.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-20-2010, 06:32 PM
Gerrard Geldenhuis
 
Default Preventing ssh keys from granting a user access when LDAP account is disabled.

>
>________________________________________
>From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Gordon Messmer [yinyang@eburg.com]
>Sent: 20 July 2010 18:32
>To: General discussion list for the 389 Directory server project.
>Subject: Re: [389-users] Preventing ssh keys from granting a user access when LDAP account is disabled.
>
>On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote:
>> Hi There is a bugzilla raised concerns users still being able to
>> login if they have ssh keys even if there ldap account is disabled.
>
>Define "disabled". If your only flag is the userpassword field, you
>won't find a good solution to this problem, since that field will never
>be used by an ssh session using keys.

Good point... I define disabled as setting the user as disabled in in the console or the user having typed his password wrong to many times and then getting locked out.

I still don't understand pam as well as I should but it would make sense to me for PAM to "check" LDAP before checking ssh... It does so when you don't have ssh keys and would deny a user if he/she is disabled. Maybe I should change a password sufficient to password required. I guess I need to play around a bit more.

>
>I believe you can use pam_access(5) to grant login access only to
>members of a group in your directory, and remove users from that group
>when you disable their login access.

That was my plan but it is not perfect...

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-21-2010, 09:32 AM
Daniel Maher
 
Default Preventing ssh keys from granting a user access when LDAP account is disabled.

On 07/20/2010 08:32 PM, Gerrard Geldenhuis wrote:

>> On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote:
>>> Hi There is a bugzilla raised concerns users still being able to
>>> login if they have ssh keys even if there ldap account is disabled.
>>
>> Define "disabled". If your only flag is the userpassword field, you
>> won't find a good solution to this problem, since that field will never
>> be used by an ssh session using keys.
>
> Good point... I define disabled as setting the user as disabled in in the console or the user having typed his password wrong to many times and then getting locked out.
>
> I still don't understand pam as well as I should but it would make sense to me for PAM to "check" LDAP before checking ssh... It does so when you don't have ssh keys and would deny a user if he/she is disabled. Maybe I should change a password sufficient to password required. I guess I need to play around a bit more.
>
>>
>> I believe you can use pam_access(5) to grant login access only to
>> members of a group in your directory, and remove users from that group
>> when you disable their login access.
>
> That was my plan but it is not perfect...

In a stunning coincidence, i was looking at this problem just this
morning.

In my environment not all of the accounts that should be able to log in
are in LDAP (some are local to the systems), so while i configured PAM
to check LDAP before any local mechanism, i couldn't just lock out a
failed LDAP check either. Since a "disabled" user in LDAP could still
technically authenticate locally (i.e. against a keyfile), i was running
into exactly the same problem you mentioned originally.

The LDAP groups here share a 1:1 relationship with Posix groups, which
lends itself well to using PAM to control SSH logins based on group
membership criteria. With this in mind, i configured PAM to use the
"listfile" mechanism, wherein the contents of a simple text file can be
compared against a given criteria during the authentication process.

In a nutshell, i put the allowed groups - one per line - in
/etc/ssh_login_groups, and then put this line at the top of my
/etc/pam.d/sshd :
auth requisite pam_listfile.so onerr=fail item=group sense=allow
file=/etc/ssh_login_groups

I then created an LDAP group called "disabled", and now instead of
deactivating users in the traditional sense, i simply revoke their group
membership and put them into the disabled group. Since that group isn't
listed in the listfile, they can't login, regardless of any other
possibilities.


--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-21-2010, 03:53 PM
Gordon Messmer
 
Default Preventing ssh keys from granting a user access when LDAP account is disabled.

On 07/20/2010 11:32 AM, Gerrard Geldenhuis wrote:
> Good point... I define disabled as setting the user as disabled in in
> the console or the user having typed his password wrong to many times
> and then getting locked out.

I don't see "disable" in the console. I do see "inactivate". This adds
the ldap entry to an "inactive" role. As far as I know, any form of
inactivation or lockout in LDAP is merely going to prevent binding to
that ldap entry. The trick is, that doesn't happen with ssh keys. If
you're logging in to a system over ssh, basically the only checks that
matter are: 1) does the user exist and 2) is the key valid? Since the
password is never given, there's no attempt to bind to LDAP.

There are a number of pam_... options available in /etc/ldap.conf, but
I'm not sure if those are used when doing ssh logins with keys. That's
probably worth checking out if you use nss_ldap. There are probably
similar options for nss_sss, but I haven't looked at that yet either.

> I still don't understand pam as well as I should but it would make
> sense to me for PAM to "check" LDAP before checking ssh... It does so
> when you don't have ssh keys and would deny a user if he/she is
> disabled. Maybe I should change a password sufficient to password
> required. I guess I need to play around a bit more.

It won't affect sshd. I wouldn't modify the PAM configuration unless
you really know what you're doing. You're more likely to lock yourself
out completely than anything else. If you want sshd to require
passwords, change sshd's configuration so that it doesn't allow key logins.

>> I believe you can use pam_access(5) to grant login access only to
>> members of a group in your directory, and remove users from that
>> group when you disable their login access.
>
> That was my plan but it is not perfect...

What's not suitable about that plan?
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-22-2010, 03:17 AM
Gordon Messmer
 
Default Preventing ssh keys from granting a user access when LDAP account is disabled.

On 07/21/2010 08:53 AM, Gordon Messmer wrote:
> There are a number of pam_... options available in /etc/ldap.conf, but
> I'm not sure if those are used when doing ssh logins with keys. That's
> probably worth checking out if you use nss_ldap. There are probably
> similar options for nss_sss, but I haven't looked at that yet either.

I played around with some options after setting the following in
/etc/ldap.conf:
pam_filter !(nsRoleDN=cn=nsmanageddisabledrole,dc=...)

The syntax is correct, and it works for password authentication (such as
"su"). However, even after setting all of the ldap modules in PAM to
"required", I'm still able to log in with a key. The documentation for
PAM in the sshd configuration file leads me to believe that this cannot
be made to work. If you allow key based logins, you cannot lock
accounts out using PAM+LDAP. That means that if you want to lock out a
user, you must completely invalidate their account. The big drawback
would be that a user who mistypes their password too many times will
probably stop receiving email (assuming you've tied your email system to
LDAP).

I believe you can do that in /etc/ldap.conf:
nss_base_passwd ou=People..?sub?!(nsRoleDN=...)

>> I still don't understand pam as well as I should but it would make
>> sense to me for PAM to "check" LDAP before checking ssh...

Remember that OpenSSH is maintained by the OpenBSD developers, where
there is no PAM. PAM support is added by the Portable OpenSSH group.
Support for PAM is probably imperfect.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-22-2010, 09:33 AM
Gerrard Geldenhuis
 
Default Preventing ssh keys from granting a user access when LDAP account is disabled.

>________________________________________
>From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Gordon Messmer [yinyang@eburg.com]
>Sent: 22 July 2010 04:17
>To: General discussion list for the 389 Directory server project.
>Subject: Re: [389-users] Preventing ssh keys from granting a user access when LDAP account is disabled.
>
>On 07/21/2010 08:53 AM, Gordon Messmer wrote:
>> There are a number of pam_... options available in /etc/ldap.conf, but
>> I'm not sure if those are used when doing ssh logins with keys. That's
>> probably worth checking out if you use nss_ldap. There are probably
>> similar options for nss_sss, but I haven't looked at that yet either.
>
>I played around with some options after setting the following in
>/etc/ldap.conf:
>pam_filter !(nsRoleDN=cn=nsmanageddisabledrole,dc=...)
>
>The syntax is correct, and it works for password authentication (such as
>"su"). However, even after setting all of the ldap modules in PAM to
>"required", I'm still able to log in with a key. The documentation for
>PAM in the sshd configuration file leads me to believe that this cannot
>be made to work. If you allow key based logins, you cannot lock
>accounts out using PAM+LDAP. That means that if you want to lock out a
>user, you must completely invalidate their account. The big drawback
>would be that a user who mistypes their password too many times will
>probably stop receiving email (assuming you've tied your email system to
>LDAP).

Well that is usefull to know at least. I have'nt played around with pam_filter yet but may be able to utilize it for something else.

>
>I believe you can do that in /etc/ldap.conf:
>nss_base_passwd ou=People..?sub?!(nsRoleDN=...)
>
>>> I still don't understand pam as well as I should but it would make
>>> sense to me for PAM to "check" LDAP before checking ssh...
>
>Remember that OpenSSH is maintained by the OpenBSD developers, where
>there is no PAM. PAM support is added by the Portable OpenSSH group.
>Support for PAM is probably imperfect.

It is unfortunate. It would be nice if you could do a logical AND in PAM to utilize two sources of authentication. My understanding was that PAM is the bastion for all authentication and that nothing happens without its say so.

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-22-2010, 10:25 PM
Gordon Messmer
 
Default Preventing ssh keys from granting a user access when LDAP account is disabled.

On 07/22/2010 02:33 AM, Gerrard Geldenhuis wrote:
>
> It is unfortunate. It would be nice if you could do a logical AND in
> PAM to utilize two sources of authentication. My understanding was
> that PAM is the bastion for all authentication and that nothing
> happens without its say so.

Just to be clear, my comment about PAM support being imperfect was
directed at OpenSSH only. PAM is a very nice system, and you can
certainly do a logical "and" in its configuration by marking multiple
services "required". The problem in this case is that OpenSSH does some
of its authentication outside of PAM, so it isn't possible to lock a
user out with PAM unless you turn off the parts of OpenSSH that may also
authenticate users. That is, you'd have to disable key logins entirely.

Unless I'm wrong. I could be. It may simply be that pam_ldap isn't
using pam_filter in the "account" stack, where it would be useful in
this case. If that were true, we'd need to fix pam_ldap. I wonder if
SSS behaves the same way?
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 04:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org