[Samba] SSH - Winbind and Keybased Auth

Gary Greene ggreene at minervanetworks.com
Mon Dec 9 17:34:14 MST 2013


On Dec 9, 2013, at 3:56 PM, Nathan Frankish <nfrankish at qldmotorways.com.au> wrote:

> Hi Andrew,
> 
> I think there are wider security implications with the implementation of pam_winbind in the account chain. Winding the grammar and documentation back to the meet the actual implementation regarding require_membership_of only addresses part of the issue. Account validation is required regardless of authentication method. In the currently suggest solution, ssh keys would have to be disabled (contrary to default configuration) to maintain the integrity of winbind account validation. This isn't just limited to require_membership_of. For example, we have just confirmed that that if you have a disabled account in Active Directory that is not able to log in to the server with a password (NT_STATUS_ACCOUNT_DISABLED), it _is_ still able to log in to the system with a key.

This doesn’t horribly surprise me, as Andrew pointed out, SSH doesn’t care too much about the PAM layer when doing key based auth. Try this experiment, and you’ll see exactly what I mean:

1. Create a local or LDAP account, doesn’t really matter which
2. Create an SSH key for that user
3. Transfer public key to other host
4. Disable the local or LDAP account (do not remove)
5. Try logging to the account

You will see that you can still SSH in using this account even though it is fully disabled.

The reason for this, is that SSH doesn’t care one whit about whether the account has a valid PAM stack response at all for key auth, it does all the work itself.

The only reasonable fix would really need to go on the SSH side, and getting a patch into the portable tree to fix this will be rough to do, as a number of admins routinely use this “misfeature” to lock down the root account on boxes, to allow only SSH key auth access to the account.

--
Gary L. Greene, Jr.
Sr. Systems Administrator
IT Operations
Minerva Networks, Inc.
Cell: +1 (650) 704-6633

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.samba.org/pipermail/samba/attachments/20131210/004399a9/attachment.pgp>


More information about the samba mailing list