Description of problem: Using the attached trust.schema with openldap (from the management application gosa, http://gosa.gonicus.de), it is possible to restrict access to only certain hosts by adding a pam_filter to /etc/ldap.conf. If a user uses ~/.ssh/authorized_keys mechanism to log in to a host without a password, this pam_filter is silently ignored, as sshd seems to pass OK to pam_unix.so. Processing is then passed to the account stack, pam_ldap.so is set by authconfig to ignore user_unknown return codes, meaning that a user who does NOT have access to this host can use an authorized_keys file in his home-directory shared among multiple hosts to illegally gain access to a server. Version-Release number of selected component (if applicable): authconfig-4.6.10-rhel4.3 also verified with authconfig-5.3.11-1.el5 (not tested with previous versions, i assume this behaviour persists there as well). How reproducible: By following the steps below and trying to log in with a user who should not have acess to the host. Steps to Reproduce: 0. add the attached trust.schema file to the ldap-server. 1. Setup ldap-authentication on the host. add the following ldif-snippet to a user in the ldap: <<< objectClass: trustAccount trustModel: byhost >>> 2. setup authentication via ~/.ssh/authorized_keys for the user to test. 3. add the following filter to the /etc/ldap.conf file on the host the user should NOT have access to: <<< pam_filter |(&(accessTo=$HOSTNAME)(trustModel=byhost))(trustModel=fullaccess) >>> [change hostname accordingly to the local host] 4. now try logging in with the user configured above Actual results: The user can log into the host without entering his password, even though ldap and pam are configured to not let him in. Expected results: The user should be denied access. Doesn't matter how. With the fix below applied, RHEL-5b2 will drop the SSH connection, RHEL-4.4 will require the user to enter his password three times and then fail. Additional info: pam_ldap.so returns a PAM_USER_UNKNOWN code for ldap searches which do not return any results. Setting user_unknown=ignore in the account section of /etc/pam.d/system-auth will allow a user who has by-passed pam_ldap.so in the auth section to login regardless of whether he is allowed to or not. changing the line to: account [default=bad success=ok] /lib/security/$ISA/pam_ldap.so (removing "user_unknown=ignore") results in the expected behaviour.
Created attachment 145835 [details] Trust schema for use in openldap.
Authconfig is not an universal tool which can fit in every possible authentication/authorization services setup. Changing the authconfig behavior as requested would break local accounts login (/etc/passwd) breaking many other setups. You will have to modify the /etc/pam.d/system-auth manually. Or you can completely disable pubkey authentication in /etc/ssh/sshd_config (PubkeyAuthentication no). Note also that authconfig in RHEL5 allows local modification of /etc/pam.d/system-auth - simply point the symlink created by authconfig to system-auth-local which would contain just: auth include system-auth-ac account required pam_unix.so account required pam_ldap.so password include system-auth-ac session include system-auth-ac