[Samba] SSH - Winbind and Keybased Auth

David Keegel djk-samba at cyber.com.au
Thu Nov 28 04:17:28 MST 2013 

Nathan,

Could you do the restriction of ssh to group members by putting 
	AllowGroups testbox02_access_sg testbox02_2_access_sg
in /etc/ssh/sshd_config, instead of reconfiguring pam?

On Thu, Nov 28, 2013 at 07:50:20AM +0000, Nathan Frankish wrote:
> Hi Team,
> 
> We have a weird issue that we are trying to understand. We have winbind set up and working successfully for user authentication with passwords via ssh. We have pam.d/system-auth-ac and password-auth-ac (symlinked) set to require membership of a group which works great via password authentication.
> 
> However, if the user has a ssh key set up, they seem to bypass the group membership requirement. The user isnt defined on the box in either shadow or passwd, they are only defined in AD, but are successfully able to authenticate as shown in the log below.
> 
> Some logs below:
> 
> /var/log/secure
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (0x7f6b826837f0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = "mycomputer.domain.local" (0x7f6b82684610)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_CONV) = 0x7f6b82683810
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): user 'nathan' granted access
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] LEAVE: pam_sm_acct_mgmt returning 0 (PAM_SUCCESS)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (0x7f6b826837f0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = "mycomputer.domain.local" (0x7f6b82684610)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_CONV) = 0x7f6b82683810
> Nov 28 17:34:58 testbox01 sshd[26078]: Accepted publickey for nathan from 1.2.3.4 port 61767 ssh2
> 
> System-auth-ac:
> [root at testbox01 pam.d]# cat system-auth-ac
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_winbind.so debug debug_state use_first_pass require_membership_of=testbox02_access_sg, testbox02_2_access_sg
> auth required /lib/security/$ISA/pam_deny.so
> 
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account required /lib/security/$ISA/pam_winbind.so debug debug_state require_membership_of= testbox_access_sg,testbox02_2_access_sg
> account required /lib/security/$ISA/pam_permit.so
> 
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
> password required /lib/security/$ISA/pam_deny.so
> 
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session required pam_mkhomedir.so skel=/etc/skel umask=0022
> session required /lib/security/$ISA/pam_winbind.so
> 
> /etc/pam.d/sshd: #%PAM-1.0
> auth       required     pam_sepermit.so
> auth       include      password-auth
> account    required     pam_nologin.so
> account    include      password-auth
> password   include      password-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    required     pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed in the user context
> session    required     pam_selinux.so open env_params
> session    optional     pam_keyinit.so force revoke
> session    include      password-auth
> 
> 
> System information:
> Linux testbox01 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
> Red Hat Enterprise Linux Server release 6.5 (Santiago)
> Samba packages: 3.6.9-164.el6
> 
> Not sure where to go next, or what else to provide.
> 
> 
> Nathan Frankish  |  Network & Systems Team Lead
> 
> 
> Queensland Motorways Pty Limited

-- 
___________________________________________________________________________
  David Keegel <djk-samba at cyber.com.au>      Cyber IT Solutions Pty. Ltd.   
   http://www.cyber.com.au/~djk/     Linux & Unix Systems Administration

More information about the samba mailing list