[Samba] SSH - Winbind and Keybased Auth
David Keegel
djk-samba at cyber.com.au
Thu Nov 28 04:17:28 MST 2013
Nathan,
Could you do the restriction of ssh to group members by putting
AllowGroups testbox02_access_sg testbox02_2_access_sg
in /etc/ssh/sshd_config, instead of reconfiguring pam?
On Thu, Nov 28, 2013 at 07:50:20AM +0000, Nathan Frankish wrote:
> Hi Team,
>
> We have a weird issue that we are trying to understand. We have winbind set up and working successfully for user authentication with passwords via ssh. We have pam.d/system-auth-ac and password-auth-ac (symlinked) set to require membership of a group which works great via password authentication.
>
> However, if the user has a ssh key set up, they seem to bypass the group membership requirement. The user isnt defined on the box in either shadow or passwd, they are only defined in AD, but are successfully able to authenticate as shown in the log below.
>
> Some logs below:
>
> /var/log/secure
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (0x7f6b826837f0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = "mycomputer.domain.local" (0x7f6b82684610)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_CONV) = 0x7f6b82683810
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): user 'nathan' granted access
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] LEAVE: pam_sm_acct_mgmt returning 0 (PAM_SUCCESS)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (0x7f6b826837f0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = "mycomputer.domain.local" (0x7f6b82684610)
> Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_CONV) = 0x7f6b82683810
> Nov 28 17:34:58 testbox01 sshd[26078]: Accepted publickey for nathan from 1.2.3.4 port 61767 ssh2
>
> System-auth-ac:
> [root at testbox01 pam.d]# cat system-auth-ac
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_winbind.so debug debug_state use_first_pass require_membership_of=testbox02_access_sg, testbox02_2_access_sg
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account required /lib/security/$ISA/pam_winbind.so debug debug_state require_membership_of= testbox_access_sg,testbox02_2_access_sg
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session required pam_mkhomedir.so skel=/etc/skel umask=0022
> session required /lib/security/$ISA/pam_winbind.so
>
> /etc/pam.d/sshd: #%PAM-1.0
> auth required pam_sepermit.so
> auth include password-auth
> account required pam_nologin.so
> account include password-auth
> password include password-auth
> # pam_selinux.so close should be the first session rule
> session required pam_selinux.so close
> session required pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed in the user context
> session required pam_selinux.so open env_params
> session optional pam_keyinit.so force revoke
> session include password-auth
>
>
> System information:
> Linux testbox01 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
> Red Hat Enterprise Linux Server release 6.5 (Santiago)
> Samba packages: 3.6.9-164.el6
>
> Not sure where to go next, or what else to provide.
>
>
> Nathan Frankish | Network & Systems Team Lead
>
>
> Queensland Motorways Pty Limited
--
___________________________________________________________________________
David Keegel <djk-samba at cyber.com.au> Cyber IT Solutions Pty. Ltd.
http://www.cyber.com.au/~djk/ Linux & Unix Systems Administration
More information about the samba
mailing list