Bug 223031 - authconfig, sshd & pam_ldap do not work as expected with ~/.ssh/authorized_keys
Summary: authconfig, sshd & pam_ldap do not work as expected with ~/.ssh/authorized_keys
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: authconfig
Version: 4.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-17 16:46 UTC by Simon Bailey
Modified: 2007-11-17 01:14 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-04-10 15:54:10 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Trust schema for use in openldap. (783 bytes, application/octet-stream)
2007-01-17 16:46 UTC, Simon Bailey
no flags Details

Description Simon Bailey 2007-01-17 16:46:05 UTC
Description of problem:
Using the attached trust.schema with openldap (from the management application
gosa, http://gosa.gonicus.de), it is possible to restrict access to only certain
hosts by adding a pam_filter to /etc/ldap.conf. If a user uses
~/.ssh/authorized_keys mechanism to log in to a host without a password, this
pam_filter is silently ignored, as sshd seems to pass OK to pam_unix.so.
Processing is then passed to the account stack, pam_ldap.so is set by authconfig
to ignore user_unknown return codes, meaning that a user who does NOT have
access to this host can use an authorized_keys file in his home-directory shared
among multiple hosts to illegally gain access to a server.

Version-Release number of selected component (if applicable):
authconfig-4.6.10-rhel4.3
also verified with authconfig-5.3.11-1.el5 
(not tested with previous versions, i assume this behaviour persists there as well).


How reproducible:
By following the steps below and trying to log in with a user who should not
have acess to the host.

Steps to Reproduce:

0. add the attached trust.schema file to the ldap-server.

1. Setup ldap-authentication on the host. add the following ldif-snippet to a
user in the ldap:

<<<
objectClass: trustAccount
trustModel: byhost
>>>

2. setup authentication via ~/.ssh/authorized_keys for the user to test.


3. add the following filter to the /etc/ldap.conf file on the  host the user
should NOT have access to:
<<<
pam_filter |(&(accessTo=$HOSTNAME)(trustModel=byhost))(trustModel=fullaccess)
>>>
[change hostname accordingly to the local host]

4. now try logging in with the user configured above

  
Actual results:
The user can log into the host without entering his password, even though ldap
and pam are configured to not let him in.

Expected results:
The user should be denied access. Doesn't matter how.  With the fix below
applied, RHEL-5b2 will drop the SSH connection, RHEL-4.4 will require the user
to enter his password three times and then fail.


Additional info:
pam_ldap.so returns a PAM_USER_UNKNOWN code for ldap searches which do not
return any results. Setting user_unknown=ignore in the account section of
/etc/pam.d/system-auth will allow a user who has by-passed pam_ldap.so in the
auth section to login regardless of whether he is allowed to or not. 

changing the line to:
account     [default=bad success=ok] /lib/security/$ISA/pam_ldap.so

(removing "user_unknown=ignore")
results in the expected behaviour.

Comment 1 Simon Bailey 2007-01-17 16:46:05 UTC
Created attachment 145835 [details]
Trust schema for use in openldap.

Comment 2 Tomas Mraz 2007-04-10 15:54:10 UTC
Authconfig is not an universal tool which can fit in every possible
authentication/authorization services setup. Changing the authconfig behavior as
requested would break local accounts login (/etc/passwd) breaking many other setups.

You will have to modify the /etc/pam.d/system-auth manually. Or you can
completely disable pubkey authentication in /etc/ssh/sshd_config
(PubkeyAuthentication no).

Note also that authconfig in RHEL5 allows local modification of
/etc/pam.d/system-auth - simply point the symlink created by authconfig to
system-auth-local which would contain just:

auth include system-auth-ac
account required pam_unix.so
account required pam_ldap.so
password include system-auth-ac
session include system-auth-ac



Note You need to log in before you can comment on or make changes to this bug.