Project

General

Profile

Actions

Feature #12472

closed

pam_list does not have 'group' option

Added by Jorge Schrauwen over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Both linux and solaris 11+ have a 'group' option for pam_list

group

    The allow/deny file contains group names rather than usernames.

It would be nice to have this too so we can limit logins to certain groups, e.g. servers limit to the srvadmins group but keep workstations open for all. (when using a directory like LDAP or AD for accounts)

Now we can only filter based on user or netgroup

Actions #2

Updated by Jorge Schrauwen over 1 year ago

22:18LeftWing: I think he probably means sysconf(3C)
22:18LeftWing: It seems _SC_GETGR_R_SIZE_MAX is the "Max size of group entry buffer" there
23:23jbk: err yeah.. sorry
23:23jbk: if the other modules are doing it, then i wouldn't worry..
23:27LeftWing: If we know how to do the right thing (i.e., sysconf()) we should just do that
23:27LeftWing: Some parts of the gate use it already

Actions #3

Updated by Jorge Schrauwen over 1 year ago

changes for sysconf made

some testing I've done:

[root@ldap1 ~]# grep -v '^#' /etc/pam.conf | grep -v '^$'
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth binding            pam_unix_auth.so.1 server_policy
login   auth required           pam_dial_auth.so.1
login   auth required           pam_ldap.so.1
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
gdm-autologin auth  required    pam_unix_cred.so.1
gdm-autologin auth  sufficient  pam_allow.so.1
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth binding            pam_unix_auth.so.1 server_policy
other   auth required           pam_ldap.so.1
passwd  auth binding            pam_passwd_auth.so.1 server_policy
passwd  auth required           pam_ldap.so.1
cron    account required        pam_unix_account.so.1
cups    account required        pam_unix_account.so.1
gdm-autologin account  sufficient  pam_allow.so.1
login   account required        pam_list.so.1 group allow=/etc/users.allow
other   account requisite       pam_roles.so.1
other   account required        pam_list.so.1 group allow=/etc/users.allow
other   account binding         pam_unix_account.so.1
other   account required        pam_ldap.so.1
other   session required        pam_unix_session.so.1
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password binding        pam_authtok_store.so.1 server_policy

[root@ldap1 ~]# cat /etc/users.allow
root
%admins

[root@ldap1 ~]# getent group admins
admins::10002:sjorge

o[root@carbon ~]# zlogin -C ab3cafc2-ae36-40ca-8193-ff9fb4dd7762
[Connected to zone 'ab3cafc2-ae36-40ca-8193-ff9fb4dd7762' console]

ldap1 console login: sjorge
Password:
2020-04-12T13:43:44+00:00 ldap1 login: [ID 293258 auth.error] libsldap: Status: 49  Mesg: openConnection: simple bind failed - Invalid credentials
Login incorrect
ldap1 console login: sjorge
Password:
Last login: Sun Apr 12 13:40:29 from 2001:470:7ee7:3
ldap1% xi  exit

ldap1 console login: tmartine
Password:
2020-04-12T13:44:02+00:00 ldap1 login: [ID 293258 auth.error] libsldap: Status: 49  Mesg: openConnection: simple bind failed - Invalid credentials
Login incorrect
ldap1 console login: tmartine
Password:
Login incorrect
2020-04-12T13:44:09+00:00 ldap1 login: [ID 468494 auth.crit] login account failure: Permission denied

[hyperon :: sjorge][~]
[■]$ ssh ldap1.acheron.be -l sjorge
ldap1% exit
Connection to ldap1.acheron.be closed.
[hyperon :: sjorge][~]
[■]$ ssh ldap1.acheron.be -l tmartine
Password:
tmartine@ldap1.acheron.be: Permission denied (publickey,keyboard-interactive).

2020-04-12T13:44:47+00:00 ldap1 sshd[58968]: [ID 800047 auth.error] error: PAM: User account has expired for tmartine from xxx
Actions #4

Updated by Jorge Schrauwen over 1 year ago

2nd set of improvements as suggersted by jbk.
- move realloc outside of look
- fix double free
- return PAM_ERR_BUF if we can't realloc the grbuf

Actions #5

Updated by Jorge Schrauwen over 1 year ago

3rd pass with more feedback from jbk
- check sysconf for 1 return and error out
move grbuflen inside pam_sm_acct_mgmt
- change from size_t to int to match other uses of sysconf in pam_modules.

Actions #6

Updated by Jorge Schrauwen over 1 year ago

I've redone the testing.

1. I've update pam.conf and added the following at there respectice sections

login   account required        pam_list.so.1 group allow=/etc/users.allow
other   account required        pam_list.so.1 group allow=/etc/users.allow

2. created /etc/users.allow with the following content

root
%admins

3. tried to login using:
- sjorge (member of admins group)
- root (not member of admins group, but listed explicitly)
- tmartine (member of the users group)

This was done on the console using zlogin -C and over ssh (both password and pubkey).
When using a password I also did it with a bad and good password.

For a bad password the result was:

2020-04-12T13:44:02+00:00 isotope login: [ID 293258 auth.error] libsldap: Status: 49  Mesg: openConnection: simple bind failed - Invalid credentials

For a good password but with no access:

2020-04-12T13:44:09+00:00 isotope login: [ID 468494 auth.crit] login account failure: Permission denied

4. tests were done on 3 zones
- one with just files as backend in nsswitch.conf
- one running ldapclient with the groups/users coming from ldap
- one without a update pam_list.so... this one failed for everything except 'root', as %admins was treated as a user, that did not match any of the accounts used.

Currently trying to figure out how to get it up on code.illumos.org.

Actions #8

Updated by Jorge Schrauwen over 1 year ago

Also tested a case when a non existing user is added to users.allow

2020-04-22T12:16:01+00:00 ldap1 login: [ID 729612 auth.error] pam_list: no_such_group is not a known group

Gets the error as expected.

Actions #9

Updated by Jorge Schrauwen over 1 year ago

retested everything again after the last changes from the review:

1. I've update pam.conf and added the following at there respectice sections

login   account required        pam_list.so.1 group allow=/etc/users.allow
other   account required        pam_list.so.1 group allow=/etc/users.allow

2. created /etc/users.allow with the following content

root
%admins

3. tried to login using:
- sjorge (member of admins group)
- root (not member of admins group, but listed explicitly)
- tmartine (member of the users group)

This was done on the console using zlogin -C and over ssh (both password and pubkey).
When using a password I also did it with a bad and good password.

For a bad password the result was:

2020-04-24T13:53:04+00:00 isotope login: [ID 293258 auth.error] libsldap: Status: 49  Mesg: openConnection: simple bind failed - Invalid credentials

For a good password but with no access:

2020-04-24T13:53:12+00:00 isotope login: [ID 468494 auth.crit] login account failure: Permission denied

4. update users.allow and added %no_such_group

2020-04-24T14:01:09+00:00 ldap1 login: [ID 729612 auth.error] pam_list: no_such_group is not a known group

5. tests were done on 3 zones
- one with just files as backend in nsswitch.conf
- one running ldapclient with the groups/users coming from ldap
- one without a update pam_list.so... this one failed for everything except 'root', as %admins was treated as a user, that did not match any of the accounts used.

Actions #10

Updated by Electric Monk over 1 year ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 7112648bd7986a88f0ffa61263d5cbf7229d8b03

commit  7112648bd7986a88f0ffa61263d5cbf7229d8b03
Author: Jorge Schrauwen <sjorge@blackdot.be>
Date:   2020-04-24T19:30:44.000Z

    12472 pam_list does not have 'group' option
    Reviewed by: C Fraire <cfraire@me.com>
    Reviewed by: Andy Fiddaman <andy@omniosce.org>
    Reviewed by: Jason King <jason.brian.king+illumos@gmail.com>
    Reviewed by: Juraj Lutter <juraj@lutter.sk>
    Approved by: Dan McDonald <danmcd@joyent.com>

Actions

Also available in: Atom PDF