1350790 – openssh-server usage of pam_namespace breaks access

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1350790 - openssh-server usage of pam_namespace breaks access

Summary: openssh-server usage of pam_namespace breaks access

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	6.8
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Jelen
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-28 12:07 UTC by Mark Woodward
Modified:	2023-09-14 03:27 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-05 15:22:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Tar file of scripts (4.19 KB, application/octet-stream) 2016-06-28 14:56 UTC, Mark Woodward	no flags	Details
View All

Description Mark Woodward 2016-06-28 12:07:59 UTC

Description of problem:
The usage of "key id" in the public certificate as a system user name breaks the ssh session.

Version-Release number of selected component (if applicable):
openssh-5.3p1-118.el6.src.rpm

How reproducible:
Very

Steps to Reproduce:
1.
Create an ssh key with ssh-keygen, give it a key identifier with -I (a name 
that is not a "user" on the system)
2.
Put pub key in authorized keys in /root/.ssh
3.
ssh -i keyfile root@host


Actual results:
Session gets broken with the message in /var/log/secure "User not known to the underlying authentication module"


Expected results:
Working ssh session as root

Additional info:
Comment out namepace in /etc/pam.d/sshd and it work.


The is no requirement that the key identifier be an authenticated user in ssh. In many deployments it is used to track access by multiple users on a single account, i.e. root. Putting pam_namespace in the sshd pam script breaks existing functionality.

Comment 1 Jakub Jelen 2016-06-28 12:22:35 UTC

You either authorize using certificates with identities (-I) or using public keys. You should not mix both of them.
Can you clarify exact configuration what are you using on your server and client and exact commands what you are running (and preferably also the logs?). From this report I have no idea how to reproduce your problem nor how to fix that.

Comment 3 Mark Woodward 2016-06-28 14:39:11 UTC

"You either authorize using certificates with identities (-I) or using public keys. You should not mix both of them."

Why not? 

We have a series of appliances that have no "users" on them. We ssh to them using keys that expire. The key identifier allows us to track who logs on them. The / and /usr file systems are read-only and check-sum'ed. We do not add or remove users.

We create a central key authority, here is an example:
markw@engwifi-230-242:~/repro$ cat bootstrap.sh 
#!/bin/sh

export DEMO_CA_DIR="/home/somedir/repro/ssl"

rm -rf $DEMO_CA_DIR
mkdir -m 0755  $DEMO_CA_DIR 
mkdir -m 0755  $DEMO_CA_DIR/private 
mkdir -m 0755  $DEMO_CA_DIR/certs 
mkdir -m 0755  $DEMO_CA_DIR/newcerts 
mkdir -m 0755  $DEMO_CA_DIR/crl

export DEMO_CA_KEY=$DEMO_CA_DIR/private/demo.key
export DEMO_CA_PEM=$DEMO_CA_DIR/private/demo.pem
export DEMO_CA_CRT=$DEMO_CA_DIR/certs/demo.crt
export DEMO_CA_SSH=$DEMO_CA_DIR/certs/demo.ssh

SSH_KEYGEN=$SSHPATH/ssh-keygen

#
# Initialize the private/public key infrastructre
#
REPLACE=$(echo $DEMO_CA_DIR | sed  's/\//\\\//g')
cat openssl.cnf | sed s/DEMO_CA_DIR/$REPLACE/ > $DEMO_CA_DIR/openssl.cnf

# Create an empty index file
#
touch $DEMO_CA_DIR/index.txt

#
# The serial numbers should start at 01
#
echo "01" > $DEMO_CA_DIR/serial

#
# Create the certificate authority
#
openssl req -config $DEMO_CA_DIR/openssl.cnf -nodes -new -x509 -extensions v3_ca -keyout $DEMO_CA_KEY  -subj '/CN=demo.noname'  -out $DEMO_CA_CRT -days 100 

#
# Mark it as only usable by us
chmod 0600 $DEMO_CA_KEY

#
# Create the SSH public key
#
ssh-keygen -f $DEMO_CA_KEY -y > $DEMO_CA_SSH

#
# Create a PEM file for signinging
#
cat $DEMO_CA_CRT $DEMO_CA_KEY > $DEMO_CA_PEM
chmod 0600 $DEMO_CA_PEM


######
markw@engwifi-230-242:~/repro$ cat ssh_create_user.sh 
#!/bin/sh
export DEMO_CA_DIR="/home/somedir/repro/ssl"
export DEMO_CA_KEY=$DEMO_CA_DIR/private/demo.key
export DEMO_CA_PEM=$DEMO_CA_DIR/private/demo.pem
export DEMO_CA_CRT=$DEMO_CA_DIR/certs/demo.crt
export DEMO_CA_SSH=$DEMO_CA_DIR/certs/demo.ssh

ssh-keygen -f $1-key
ssh-keygen -s $DEMO_CA_PEM -C "$1" -I "$1" -n $1,root -V +3d $1-key.pub 
#######

Now, run bootstrap.sh, this will create your central authority.
Copy ssl/certs/demo.ssh to /etc/ssh to your target machine or VM
Add this line to the target  sshd_config 
TrustedUserCAKeys	/etc/ssh/demo.ssh

Restart sshd on your target machine

make sure:
#session    required     pam_namespace.so
is commented out in the target's /etc/pam.d/sshd

on your CA machine, in the repro directory

bash ssh_create_user.sh fubar
<use empty passphrases if you like>

ssh -i fubar-key root@target

You should connect.

Now, uncomment this line on the target: (/etc/pam.d/sshd)
session    required     pam_namespace.so 

Try again on your CA machine:
ssh -i fubar-key root.122.188

It will fail.

There is no prescription that the key_identity MUST be a valid user on the target machine.

Comment 4 Mark Woodward 2016-06-28 14:56:10 UTC

Created attachment 1173489 [details]
Tar file of scripts

This will make it easy to reproduce

Comment 5 Jakub Jelen 2016-06-29 08:09:18 UTC

Thank you for verbose information about reproducer.

You reported the bug against RHEL6, which is using openssh-5.3, but it is using 

   [-n principals]

instead of

   [-Z principals]

in RHEL6 environment. But it should not make a difference in the end.

I tried to reproduce your described behavior according to your description, but without any success. I am able to connect to root account with this key generated (on RHEL6 machine). There will be probably also some different configuration in place.

Can you check what is in your  /etc/security/namespace.conf  and why? If this one is empty, the  pam_namespace.so  in PAM stack should be noop. Polyinstantiation should also require SELinux boolean  allow_polyinstantiation. Do you have that enabled or can you see some AVCs in audit?

Comment 7 Jakub Jelen 2016-11-07 11:14:33 UTC

Mark, could you have a look in the questions I asked in the comment #5? I can't reproduce your behavior in my testing system, which proposes there is some other effective configuration in your system. Otherwise I will close this bug soon.

Comment 8 Jakub Jelen 2016-12-05 15:22:26 UTC

    Thank you for taking the time to enter a bug report with us. We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to  guarantee the timeliness or suitability of a resolution.

    If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain  it receives the proper attention and prioritization to assure a timely resolution. 

    For information on how to contact the Red Hat production support team, please visit:

    https://access.redhat.com/support/

Comment 9 Red Hat Bugzilla 2023-09-14 03:27:25 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.