paul at xtdnet.nl
2000-Mar-08 14:17 UTC
NIS, PAM, OpenSSH. Seems to work perfectly (one minor concern)
I just spent some time trying to figure out how to get OpenSSH to work correctly with NIS and PAM. It seems to work fine, apart from one minor worry I still have (see below). Feedback about grave security risks are welcome :) This is using RedHat 6.1 with updates and the OpenSSH 1.2.2p1-1 RPM's on the NIS server as well as the client. In short, my configuration is: /etc/nssswitch.conf: passwd: compat group: compat shadow: files nis in /etc/passwd I added: + at staff:::::: +::::::/bin/nologin /etc/pam.d/login: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_unix_auth.so auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_unix_passwd.so session required /lib/security/pam_unix_session.so /etc/pam.d/ssh #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nodelay auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session required /lib/security/pam_limits.so I'm not using MD5 (Though I thought I was, must have been caused by a RedHat update). I'm using the default /etc/ssh settings In this setup, I can login as the local users. The NIS users in the netgroup staff can login fine, and NIS users not in that netgroup get /bin/nologin. Users have a shared homedir, and the ones that have done: cat .ssh/identity.pub >> .ssh/authorized_keys can also not login when not in the stafdf netgroup. And when NIS isn't running, it nicely fakes authlookup for NIS users (any non local users actually) and local users can still nicely login. Excellent! Now, in the above case where a user is not a member of the netgroup, I tried to execute a command using ssh: ssh -l test host /bin/date The client gives me: debug: Trying RSA authentication with key 'paul at host' debug: Received RSA challenge from server. debug: Sending response to host key RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication accepted by server. debug: Sending command: /bin/date debug: Entering interactive session. Environment: USER=paul LOGNAME=paul HOME=/vol/staff/paul PATH=/usr/bin:/bin:/usr/sbin:/sbin MAIL=/var/spool/mail/paul SHELL=/bin/nologin SSH_CLIENT=127.0.0.1 622 22 You have no login on this machine, go away. and the server: debug: Starting up PAM with username "paul" debug: Attempting authentication for paul. Accepted rsa for paul from 127.0.0.1 port 622 debug: PAM setting rhost to "localhost" debug: Executing command '/bin/date' debug: PAM establishing creds debug: Entering interactive session. debug: Received SIGCHLD. debug: End of interactive session; stdin 0, stdout (read 44, sent 44), stderr 179 bytes. debug: Command exited with status 0. debug: Received exit confirmation. Closing connection to 127.0.0.1 Mar 8 15:09:45 bofh sshd[2356]: Accepted rsa for paul from 127.0.0.1 port 622 Mar 8 15:10:48 bofh sshd[2356]: Closing connection to 127.0.0.1 Mar 8 15:10:48 bofh PAM_pwdb[2356]: (sshd) session closed for user paul My question is if it is possible to change /etc/pam.d/ssh so that the session can still be disallowed. It doesn't seem to execute /bin/date but it's trying much to hard imho. One solution would be ofcourse only to put those netgroup/users in that are allowed to have a login, but for instance that won't work nicely on the mail server, where all accounts need to exist, and the users are not allowed to login. But, I'm quite pleased with OpenSSH within the NIS/Pam/Linux environment as it is right now. Cheers to those that deserve it :) Paul PS. On a side note, the previous version I tried OpenSSH-1.2.1pre11 didn't work.
Seemingly Similar Threads
Wisdom of the Ancients
