Bug 223031 - authconfig, sshd & pam_ldap do not work as expected with ~/.ssh/authorized_keys
authconfig, sshd & pam_ldap do not work as expected with ~/.ssh/authorized_keys
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: authconfig (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2007-01-17 11:46 EST by Simon Bailey
Modified: 2007-11-16 20:14 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-04-10 11:54:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Trust schema for use in openldap. (783 bytes, application/octet-stream)
2007-01-17 11:46 EST, Simon Bailey
no flags Details

  None (edit)
Description Simon Bailey 2007-01-17 11:46:05 EST
Description of problem:
Using the attached trust.schema with openldap (from the management application
gosa, http://gosa.gonicus.de), it is possible to restrict access to only certain
hosts by adding a pam_filter to /etc/ldap.conf. If a user uses
~/.ssh/authorized_keys mechanism to log in to a host without a password, this
pam_filter is silently ignored, as sshd seems to pass OK to pam_unix.so.
Processing is then passed to the account stack, pam_ldap.so is set by authconfig
to ignore user_unknown return codes, meaning that a user who does NOT have
access to this host can use an authorized_keys file in his home-directory shared
among multiple hosts to illegally gain access to a server.

Version-Release number of selected component (if applicable):
also verified with authconfig-5.3.11-1.el5 
(not tested with previous versions, i assume this behaviour persists there as well).

How reproducible:
By following the steps below and trying to log in with a user who should not
have acess to the host.

Steps to Reproduce:

0. add the attached trust.schema file to the ldap-server.

1. Setup ldap-authentication on the host. add the following ldif-snippet to a
user in the ldap:

objectClass: trustAccount
trustModel: byhost

2. setup authentication via ~/.ssh/authorized_keys for the user to test.

3. add the following filter to the /etc/ldap.conf file on the  host the user
should NOT have access to:
pam_filter |(&(accessTo=$HOSTNAME)(trustModel=byhost))(trustModel=fullaccess)
[change hostname accordingly to the local host]

4. now try logging in with the user configured above

Actual results:
The user can log into the host without entering his password, even though ldap
and pam are configured to not let him in.

Expected results:
The user should be denied access. Doesn't matter how.  With the fix below
applied, RHEL-5b2 will drop the SSH connection, RHEL-4.4 will require the user
to enter his password three times and then fail.

Additional info:
pam_ldap.so returns a PAM_USER_UNKNOWN code for ldap searches which do not
return any results. Setting user_unknown=ignore in the account section of
/etc/pam.d/system-auth will allow a user who has by-passed pam_ldap.so in the
auth section to login regardless of whether he is allowed to or not. 

changing the line to:
account     [default=bad success=ok] /lib/security/$ISA/pam_ldap.so

(removing "user_unknown=ignore")
results in the expected behaviour.
Comment 1 Simon Bailey 2007-01-17 11:46:05 EST
Created attachment 145835 [details]
Trust schema for use in openldap.
Comment 2 Tomas Mraz 2007-04-10 11:54:10 EDT
Authconfig is not an universal tool which can fit in every possible
authentication/authorization services setup. Changing the authconfig behavior as
requested would break local accounts login (/etc/passwd) breaking many other setups.

You will have to modify the /etc/pam.d/system-auth manually. Or you can
completely disable pubkey authentication in /etc/ssh/sshd_config
(PubkeyAuthentication no).

Note also that authconfig in RHEL5 allows local modification of
/etc/pam.d/system-auth - simply point the symlink created by authconfig to
system-auth-local which would contain just:

auth include system-auth-ac
account required pam_unix.so
account required pam_ldap.so
password include system-auth-ac
session include system-auth-ac

Note You need to log in before you can comment on or make changes to this bug.