[Samba] SSH - Winbind and Keybased Auth

Tue Dec 10 08:05:09 MST 2013

On 15:51:50 wrote Nathan Frankish:
> Hi Andrew,
> 
> Ill try and build a test machine later to test the patches. But in
> conclusion just so I'm clear, using pam_winbind and SSH keys will
> essentially be a unsupported configuration resulting in a potential
> security issue for anyone who uses restrict_membership as part of
> the auth chain? Whilst it will worth in the auth chain with users
> who authenticate with passwords, attempting to use winbind as part
> of the account chain could result in a user being authorized that
> shouldn’t be.
> 
> Eg this configuration:
> [nathan at NEWSERVER ~]$ cat /etc/pam.d/system-auth-ac
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
> require_membership_of=LinuxServerAdmins_SG,NEWSERVER_access_sg auth
> required /lib/security/$ISA/pam_deny.so
> 

Declare pam_winbind.so as required and _not_ as sufficient.
In case of success, hop over pam_deny.so.
Try these 5 lines:

auth required /lib/security/$ISA/pam_env.so
auth [success=2 default=ignore] /lib/security/$ISA/pam_unix.so likeauth nullok
auth [success=1 default=ignore] /lib/security/$ISA/pam_winbind.so use_first_pass 
require_membership_of=LinuxServerAdmins_SG,NEWSERVER_access_sg auth required /lib/security/$ISA/pam_deny.so
auth requisite /lib/security/$ISA/pam_deny.so
auth required /lib/security/$ISA/pam_permit.so

> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet account sufficient /lib/security/$ISA/pam_winbind.so
> use_first_pass account required /lib/security/$ISA/pam_permit.so
> 
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
> dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 password
> sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok sha512
> shadow remember=24 password sufficient
> /lib/security/$ISA/pam_winbind.so use_first_pass password required
> /lib/security/$ISA/pam_deny.so
> 
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session required pam_mkhomedir.so skel=/etc/skel umask=0022
> session required /lib/security/$ISA/pam_winbind.so use_first_pass
> 
> 
> 
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Monday, 9 December 2013 1:27 PM
> To: Nathan Frankish
> Cc: 'samba at lists.samba.org'; Garming Sam
> Subject: Re: [Samba] SSH - Winbind and Keybased Auth
> 
> On Mon, 2013-12-09 at 03:16 +0000, Nathan Frankish wrote:
> > Howdy,
> > 
> > Sorry not verbatim. Did a find and replace that might have
> > introduced spaces. I am happy to send you the configuration
> > directly if you want to see the original config
> > 
> > This is an old configuration that’s migrated forward a few times.
> > It originally would have been system generated by one of the red
> > hat system tools, however its been handcrafted since.
> > 
> > Trying to understand what you mean by making this directive
> > illegal, do you mean that the require_membership directive wont
> > restrict users anymore in the account section, thereby not fixing
> > the issue ive raised about ssh-keys and winbind?
> 
> Yes.  This directive was accepted by the configuration grammar, but
> never worked the way you thought it worked.  It only ever worked
> during password authentication, not account module processing.  So,
> instead I worked with Garming Sam to implement this (making it not
> even appear to work, and documenting this fact) on Friday.
> 
> I know it's not much help (as you wanted this to work), but if you
> could test that it fails in a useful way in your configuration, that
> would be most helpful.
> 
> Thanks,
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT         
> http://catalyst.net.nz/services/samba

-- 

Regards
	Harry Jede