[Samba] SSH - Winbind and Keybased Auth

Nathan Frankish nfrankish at qldmotorways.com.au
Mon Dec 9 16:56:14 MST 2013


Hi Andrew,

I think there are wider security implications with the implementation of pam_winbind in the account chain. Winding the grammar and documentation back to the meet the actual implementation regarding require_membership_of only addresses part of the issue. Account validation is required regardless of authentication method. In the currently suggest solution, ssh keys would have to be disabled (contrary to default configuration) to maintain the integrity of winbind account validation. This isn't just limited to require_membership_of. For example, we have just confirmed that that if you have a disabled account in Active Directory that is not able to log in to the server with a password (NT_STATUS_ACCOUNT_DISABLED), it _is_ still able to log in to the system with a key.

See the logs below:
Dec 10 09:39:07 testserver01 sshd[14477]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=client.test.dom  user=testuser
Dec 10 09:39:07 testserver01 sshd[14477]: pam_winbind(sshd:auth): getting password (0x00004050)
Dec 10 09:39:07 testserver01 sshd[14477]: pam_winbind(sshd:auth): pam_get_item returned a password
Dec 10 09:39:07 testserver01 sshd[14477]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_ACCOUNT_DISABLED, Error message was: Account disabled
Dec 10 09:39:07 testserver01 sshd[14477]: pam_winbind(sshd:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'testuser')
Dec 10 09:39:09 testserver01 sshd[14477]: Failed password for testuser from 1.2.3.4 port 61780 ssh2
Dec 10 09:39:20 testserver01 sshd[14480]: Received disconnect from 1.2.3.4: 13: Unable to authenticate
Dec 10 09:39:20 testserver01 sshd[14477]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=client.test.dom  user=testuser
Dec 10 09:39:37 testserver01 sshd[14484]: Connection closed by 1.2.3.4

Dec 10 09:40:59 testserver01 sshd[14559]: pam_winbind(sshd:account): user 'testuser' granted access
Dec 10 09:40:59 testserver01 sshd[14559]: Accepted publickey for testuser from 1.2.3.4 port 61789 ssh2
Dec 10 09:40:59 testserver01 sshd[14559]: pam_unix(sshd:session): session opened for user testuser by (uid=0

Thanks

Nathan Frankish  |  Network & Systems Team Lead



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, 10 December 2013 8:00 AM
To: Nathan Frankish
Cc: 'samba at lists.samba.org'; Garming Sam
Subject: Re: [Samba] SSH - Winbind and Keybased Auth

On Mon, 2013-12-09 at 04:44 +0000, Nathan Frankish wrote:
> Hi Andrew,
> 
> Ill try and build a test machine later to test the patches. But in 
> conclusion just so I'm clear, using pam_winbind and SSH keys will 
> essentially be a unsupported configuration resulting in a potential 
> security issue for anyone who uses restrict_membership as part of the 
> auth chain?

Yes.  Because SSH does not execute the auth chain for key-based login, any checks there do not apply. 

> Whilst it will worth in the auth chain with users who authenticate 
> with passwords, attempting to use winbind as part of the account chain 
> could result in a user being authorized that shouldn’t be.

Indeed. 

> Eg this configuration:
> [nathan at NEWSERVER ~]$ cat /etc/pam.d/system-auth-ac auth required 
> /lib/security/$ISA/pam_env.so auth sufficient 
> /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient 
> /lib/security/$ISA/pam_winbind.so use_first_pass 
> require_membership_of=LinuxServerAdmins_SG,NEWSERVER_access_sg
> auth required /lib/security/$ISA/pam_deny.so
> 
> account required /lib/security/$ISA/pam_unix.so account sufficient 
> /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account 
> sufficient /lib/security/$ISA/pam_winbind.so use_first_pass account 
> required /lib/security/$ISA/pam_permit.so
> 
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type= 
> dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 password 
> sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok sha512 
> shadow remember=24 password sufficient 
> /lib/security/$ISA/pam_winbind.so use_first_pass password required 
> /lib/security/$ISA/pam_deny.so
> 
> session required /lib/security/$ISA/pam_limits.so session required 
> /lib/security/$ISA/pam_unix.so session required pam_mkhomedir.so 
> skel=/etc/skel umask=0022 session required 
> /lib/security/$ISA/pam_winbind.so use_first_pass

So, what we are trying to do with this patch set is to lower expectations back to the actual implementation, which only checks groups during password authentication. 

We understand you would prefer more, but implementing require_membership_of for the account chain is not trivial.  That said, do feel free to file a bug, and we may be able to find a way to add this.

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba






More information about the samba mailing list