[Samba] SSH - Winbind and Keybased Auth

Andrew Bartlett abartlet at samba.org
Mon Dec 9 18:02:28 MST 2013

On Tue, 2013-12-10 at 00:34 +0000, Gary Greene wrote:
> On Dec 9, 2013, at 3:56 PM, Nathan Frankish <nfrankish at qldmotorways.com.au> wrote:
> > Hi Andrew,
> > 
> > I think there are wider security implications with the implementation of pam_winbind in the account chain. Winding the grammar and documentation back to the meet the actual implementation regarding require_membership_of only addresses part of the issue. Account validation is required regardless of authentication method. In the currently suggest solution, ssh keys would have to be disabled (contrary to default configuration) to maintain the integrity of winbind account validation. This isn't just limited to require_membership_of. For example, we have just confirmed that that if you have a disabled account in Active Directory that is not able to log in to the server with a password (NT_STATUS_ACCOUNT_DISABLED), it _is_ still able to log in to the system with a key.
> This doesn’t horribly surprise me, as Andrew pointed out, SSH doesn’t care too much about the PAM layer when doing key based auth. Try this experiment, and you’ll see exactly what I mean:
> 1. Create a local or LDAP account, doesn’t really matter which
> 2. Create an SSH key for that user
> 3. Transfer public key to other host
> 4. Disable the local or LDAP account (do not remove)

This really should cause SSH to stop and deny the authentication.  How
are you disabling the account in this case?

> 5. Try logging to the account
> You will see that you can still SSH in using this account even though it is fully disabled.
> The reason for this, is that SSH doesn’t care one whit about whether the account has a valid PAM stack response at all for key auth, it does all the work itself.
> The only reasonable fix would really need to go on the SSH side, and getting a patch into the portable tree to fix this will be rough to do, as a number of admins routinely use this “misfeature” to lock down the root account on boxes, to allow only SSH key auth access to the account.

I'm sceptical that SSH is the issue, because the acct and session
modules are being run.  An easy way to test would be to replace
pam_winind with pam_deny.

Assuming that demonstrates that SSH is holding up it's end of the
bargain, then I can only agree with the analysis, and really the only
way to fix it is in pam_winbind and winbindd. 

A while back, a client (NETGEAR) asked me for a similar this, but in
their case they only wanted to know if the user was under a specific OU.
I wrote up this patch:

That could be extended to store and return the user's flags, such as
ACB_DISABLED, and it could confirm the require_membership_of, the
lockout time and perhaps even the logon window (logon hours).

It's not a trivial task however (you will note that preliminary patch
has no tests, for example), and is even more difficult we we must
ensuring that the cache it uses (based on the last NTLM or Kerberos
login) isn't stale, because currently if that is present, we rely on it

I hope this helps in some way,

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131210/133a9af8/attachment.pgp>

More information about the samba-technical mailing list