Bug 740233 - PAM does not correctly parse @users@@hosts netgroup syntax in /etc/security/access.conf
Summary: PAM does not correctly parse @users@@hosts netgroup syntax in /etc/security/a...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam
Version: 6.1
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
Depends On:
Blocks: 836160
TreeView+ depends on / blocked
 
Reported: 2011-09-21 11:32 UTC by Richard Rudd
Modified: 2014-10-14 08:09 UTC (History)
2 users (show)

Fixed In Version: pam-1.1.1-18.el6
Doc Type: Bug Fix
Doc Text:
no docs needed
Clone Of:
Environment:
Last Closed: 2014-10-14 08:09:29 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1579 normal SHIPPED_LIVE pam bug fix update 2014-10-14 01:27:19 UTC

Description Richard Rudd 2011-09-21 11:32:39 UTC 
Description of problem:

I use /etc/security/access.conf to restrict what hosts users can log into and
from where via SSH.  This is controlled via netgroups.  In access.conf, I have 
rules such as:

+ : @staff@@private-hosts : @staff
- : ALL : ALL

The above should allow users in the netgroup staff to connect to hosts in the
netgroup private-hosts from the desktops in the staff netgroup.  All other connections are denied.  This works in RHEL4 and RHEL5.

On RHEL6 and pam-1.1.1-8, PAM is not correctly parsing the @users@@hosts
syntax and fails to allow users to connect.  

If I drop the @@netgroup suffix, PAM will allow the users in the netgroup staff to connect.

+ : @staff : @staff

The manpage access.conf(5) says the @@netgroupname syntax should work:

       The @@netgroupname syntax is supported in the user pattern
       only and it makes the local system hostname to be passed to the
       netgroup match call in addition to the user name.

I can look up all of the above netgroups via 'getent netgroup <name>'.

Version-Release number of selected component (if applicable):

RHEL6 and pam-1.1.1-8

How reproducible:

Always

Steps to Reproduce:

1.  Create netgroups similar to:

staff:
      (desktop1.example.net,bob,-)
      (desktop2.example.net,jsmith,-)
      (desktop3.example.net,ned,-)
private-hosts:
      (host1.example.net,-,-)
      (host2.example.net,-,-)
      (host3.example.net,-,-)
bastion-hosts:
      (bastion.example.net,-,-)

2.  Update access.conf with rules similar to above.
3.  Update /etc/pam.d/sshd to refer to access.conf

account    required     pam_access.so accessfile=/etc/security/access.conf

4.  Update /etc/ssh/sshd_config and set 'UsePAM yes'.
  
Actual results:

Authentication fails.

Expected results:

Authenticated user in netgroup staff is authorized to connect to private-hosts
from only desktops in the staff group.

Additional info:

Bug 732081 appears to be related
https://bugzilla.redhat.com/show_bug.cgi?id=732081
Comment 1 Richard Rudd 2011-09-21 13:56:14 UTC 
Further investigation reveals that this appears to be related to the "-" place holder in the netgroups causing the match to fail.  If I remove the "-" from so that they are as below, then the users can authenticate successfully.

staff:
      (desktop1.example.net,bob,)
private-hosts:
      (host1.example.net,,)

There is an old bug report regarding this which is discussed here:
http://sourceforge.net/tracker/?func=detail&aid=2892189&group_id=6663&atid=106663
Comment 2 Richard Rudd 2011-10-18 12:54:21 UTC 
I have now resolved this issue, which is related to following knowledge based article regarding netgroup based acess control using pam_access.so  in Red Hat Enterprise Linux 6.

The pam_access.so module in RHEL 6 does extra checking against domainname,  while matching rules in /etc/security/access.conf. If nisdomainname is empty (which it is by default), it will match domainname=<empty> against rule and so rule didn't match. Which is the reason access is denied for the user who is a member of a netgroup.

Our solution was to set the nis domain name to match the entry in the netgroup.
Comment 3 Richard Rudd 2011-10-18 12:55:12 UTC 
Link to the KB article: https://access.redhat.com/kb/docs/DOC-64587
Comment 5 Suzanne Yeghiayan 2012-02-14 23:16:18 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 6 RHEL Product and Program Management 2013-09-11 12:12:54 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 10 errata-xmlrpc 2014-10-14 08:09:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1579.html
Note You need to log in before you can comment on or make changes to this bug.