Bug 732081 - PAM does not correctly parse @users@@hosts netgroup syntax in /etc/security/access.conf
PAM does not correctly parse @users@@hosts netgroup syntax in /etc/security/a...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
15
i686 Linux
unspecified Severity high
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-19 13:55 EDT by Stephen Fromm
Modified: 2011-09-13 17:32 EDT (History)
1 user (show)

See Also:
Fixed In Version: pam-1.1.4-4.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-06 23:27:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Stephen Fromm 2011-08-19 13:55:46 EDT
Description of problem:

I use /etc/security/access.conf to restrict what hosts users can log into and from where via SSH.  This is controlled via netgroups.  In access.conf, I have 
rules such as:

+ : @staff@@private-hosts : 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24
+ : @staff@@bastion-hosts : ALL
- : ALL : ALL

The above should allow users in the netgroup staff to connect to hosts in the netgroup private-hosts from the above networks.  The same users
are allowed to connect to the bastion hosts from anywhere.  All other connections are denied.  This works in F13, F14, RHEL5, and RHEL6.

On Fedora 15 and pam-1.1.3-8, PAM does not correctly parse the @users@@hosts syntax and authorizes any authenticated user to connect to private-hosts from any location.  

If I drop the @@netgroup suffix, PAM will correctly limit connections to users in the netgroup staff.

+ : @staff : 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24
+ : @staff : ALL

The manpage access.conf(5) says the @@netgroupname syntax should work:

       The @@netgroupname syntax is supported in the user pattern
       only and it makes the local system hostname to be passed to the
       netgroup match call in addition to the user name.

I can look up all of the above netgroups via 'getent netgroup <name>'.

Version-Release number of selected component (if applicable):

Fedora 15 and pam-1.1.3-8.

How reproducible:

Always.

Steps to Reproduce:
1.  Create netgroups similar to:

staff:
      (,bob,)
      (,jsmith,)
      (,ned,)
private-hosts:
      (host1.example.net,,)
      (host2.example.net,,)
      (host3.example.net,,)
bastion-hosts:
      (bastion.example.net,,)

2.  Update access.conf with rules similar to above.
3.  Update /etc/pam.d/sshd to refer to access.conf

account    required     pam_access.so accessfile=/etc/security/access.conf

4.  Update /etc/ssh/sshd_config and set 'UsePAM yes'.

  
Actual results:

Authenticated users (not just those in the staff netgroup) are authorized to connect to any host from any location.

Expected results:

Authenticated user in netgroup staff is authorized to connect to private-hosts from designated networks.  SSH connections from other locations are only allowed to hosts in bastion-hosts.

Additional info:

As stated above, this same configuration works on F13, F14, RHEL5, and RHEL6.
Comment 1 Fedora Update System 2011-08-25 13:38:51 EDT
pam-1.1.4-4.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/pam-1.1.4-4.fc15
Comment 2 Fedora Update System 2011-08-25 13:38:59 EDT
pam-1.1.4-4.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/pam-1.1.4-4.fc16
Comment 3 Fedora Update System 2011-08-26 10:19:33 EDT
Package pam-1.1.4-4.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam-1.1.4-4.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/pam-1.1.4-4.fc16
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2011-09-06 23:27:15 EDT
pam-1.1.4-4.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2011-09-09 01:29:07 EDT
pam-1.1.4-4.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Stephen Fromm 2011-09-13 17:32:13 EDT
Verified that this now works as intended.  Thank you!

Note You need to log in before you can comment on or make changes to this bug.