[Samba] SSH - Winbind and Keybased Auth

Nathan Frankish nfrankish at qldmotorways.com.au
Sun Dec 8 21:44:56 MST 2013

Hi Andrew,

Ill try and build a test machine later to test the patches. But in conclusion just so I'm clear, using pam_winbind and SSH keys will essentially be a unsupported configuration resulting in a potential security issue for anyone who uses restrict_membership as part of the auth chain? Whilst it will worth in the auth chain with users who authenticate with passwords, attempting to use winbind as part of the account chain could result in a user being authorized that shouldn’t be.

Eg this configuration:
[nathan at NEWSERVER ~]$ cat /etc/pam.d/system-auth-ac
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=LinuxServerAdmins_SG,NEWSERVER_access_sg
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok sha512 shadow remember=24
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required /lib/security/$ISA/pam_winbind.so use_first_pass

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, 9 December 2013 1:27 PM
To: Nathan Frankish
Cc: 'samba at lists.samba.org'; Garming Sam
Subject: Re: [Samba] SSH - Winbind and Keybased Auth

On Mon, 2013-12-09 at 03:16 +0000, Nathan Frankish wrote:
> Howdy,
> Sorry not verbatim. Did a find and replace that might have introduced 
> spaces. I am happy to send you the configuration directly if you want 
> to see the original config
> This is an old configuration that’s migrated forward a few times. It 
> originally would have been system generated by one of the red hat 
> system tools, however its been handcrafted since.
> Trying to understand what you mean by making this directive illegal, 
> do you mean that the require_membership directive wont restrict users 
> anymore in the account section, thereby not fixing the issue ive 
> raised about ssh-keys and winbind?

Yes.  This directive was accepted by the configuration grammar, but never worked the way you thought it worked.  It only ever worked during password authentication, not account module processing.  So, instead I worked with Garming Sam to implement this (making it not even appear to work, and documenting this fact) on Friday. 

I know it's not much help (as you wanted this to work), but if you could test that it fails in a useful way in your configuration, that would be most helpful.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list