Red Hat Bugzilla – Bug 223031
authconfig, sshd & pam_ldap do not work as expected with ~/.ssh/authorized_keys
Last modified: 2007-11-16 20:14:55 EST
Description of problem:
Using the attached trust.schema with openldap (from the management application
gosa, http://gosa.gonicus.de), it is possible to restrict access to only certain
hosts by adding a pam_filter to /etc/ldap.conf. If a user uses
~/.ssh/authorized_keys mechanism to log in to a host without a password, this
pam_filter is silently ignored, as sshd seems to pass OK to pam_unix.so.
Processing is then passed to the account stack, pam_ldap.so is set by authconfig
to ignore user_unknown return codes, meaning that a user who does NOT have
access to this host can use an authorized_keys file in his home-directory shared
among multiple hosts to illegally gain access to a server.
Version-Release number of selected component (if applicable):
also verified with authconfig-5.3.11-1.el5
(not tested with previous versions, i assume this behaviour persists there as well).
By following the steps below and trying to log in with a user who should not
have acess to the host.
Steps to Reproduce:
0. add the attached trust.schema file to the ldap-server.
1. Setup ldap-authentication on the host. add the following ldif-snippet to a
user in the ldap:
2. setup authentication via ~/.ssh/authorized_keys for the user to test.
3. add the following filter to the /etc/ldap.conf file on the host the user
should NOT have access to:
[change hostname accordingly to the local host]
4. now try logging in with the user configured above
The user can log into the host without entering his password, even though ldap
and pam are configured to not let him in.
The user should be denied access. Doesn't matter how. With the fix below
applied, RHEL-5b2 will drop the SSH connection, RHEL-4.4 will require the user
to enter his password three times and then fail.
pam_ldap.so returns a PAM_USER_UNKNOWN code for ldap searches which do not
return any results. Setting user_unknown=ignore in the account section of
/etc/pam.d/system-auth will allow a user who has by-passed pam_ldap.so in the
auth section to login regardless of whether he is allowed to or not.
changing the line to:
account [default=bad success=ok] /lib/security/$ISA/pam_ldap.so
results in the expected behaviour.
Created attachment 145835 [details]
Trust schema for use in openldap.
Authconfig is not an universal tool which can fit in every possible
authentication/authorization services setup. Changing the authconfig behavior as
requested would break local accounts login (/etc/passwd) breaking many other setups.
You will have to modify the /etc/pam.d/system-auth manually. Or you can
completely disable pubkey authentication in /etc/ssh/sshd_config
Note also that authconfig in RHEL5 allows local modification of
/etc/pam.d/system-auth - simply point the symlink created by authconfig to
system-auth-local which would contain just:
auth include system-auth-ac
account required pam_unix.so
account required pam_ldap.so
password include system-auth-ac
session include system-auth-ac