[Samba] SSH - Winbind and Keybased Auth

Andrew Bartlett abartlet at samba.org
Mon Dec 9 14:59:35 MST 2013

On Mon, 2013-12-09 at 04:44 +0000, Nathan Frankish wrote:
> Hi Andrew,
> Ill try and build a test machine later to test the patches. But in
> conclusion just so I'm clear, using pam_winbind and SSH keys will
> essentially be a unsupported configuration resulting in a potential
> security issue for anyone who uses restrict_membership as part of the
> auth chain?

Yes.  Because SSH does not execute the auth chain for key-based login,
any checks there do not apply. 

> Whilst it will worth in the auth chain with users who authenticate
> with passwords, attempting to use winbind as part of the account chain
> could result in a user being authorized that shouldn’t be.


> Eg this configuration:
> [nathan at NEWSERVER ~]$ cat /etc/pam.d/system-auth-ac
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=LinuxServerAdmins_SG,NEWSERVER_access_sg
> auth required /lib/security/$ISA/pam_deny.so
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
> account required /lib/security/$ISA/pam_permit.so
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok sha512 shadow remember=24
> password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
> password required /lib/security/$ISA/pam_deny.so
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session required pam_mkhomedir.so skel=/etc/skel umask=0022
> session required /lib/security/$ISA/pam_winbind.so use_first_pass

So, what we are trying to do with this patch set is to lower
expectations back to the actual implementation, which only checks groups
during password authentication. 

We understand you would prefer more, but implementing
require_membership_of for the account chain is not trivial.  That said,
do feel free to file a bug, and we may be able to find a way to add


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list