freebsd security - Sep 2011 - PAM modules

We currently have a number of PAM modules in ports, and while some of
them are specific to certain third-party software, many aren't.  I
believe we would benefit from importing at least some of these into
base.  My question is: which ones?

DES
-- 
Dag-Erling Sm?rgrav - des@des.no

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 09/16/11 08:05, Dag-Erling Sm?rgrav wrote:
> We currently have a number of PAM modules in ports, and while some 
> of them are specific to certain third-party software, many aren't. 
> I believe we would benefit from importing at least some of these 
> into base.  My question is: which ones?
LDAP?  (We do currently have some work on LDAP integration but not
sure if the community would be interested -- this would need an import
of stripped down OpenLDAP) and modifies OpenSSH to support public key
in LDAP directory.

Cheers,
- -- 
Xin LI <delphij@delphij.net>	https://www.delphij.net/
FreeBSD - The Power to Serve!		Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iQEcBAEBCAAGBQJOc4eUAAoJEATO+BI/yjfBUFgH/1+fWilKMu/4YJu0X2hUpDJI
EvOuG1Mx481eXAaTV+yfVaHwGs039EQIgJpk18CCC+UbCOV4kG0B0XpK5D3VdOPE
nHoXB38YiiyBe+LVYg3u1YPrjPAoULK2ih4qMOki6Wbtw8EqV344BNd0a70joY+z
JTnNsfJQcMKAO8RpppPxuf/yy6goRcQSMUmDCvxBiOS923vZu641kyBEzyFeC+GU
BJjLTXxcBQ5V9XNGgHmp7g4nwHPNwi0aOPs6Gudgj7u3hKKEkcY//Irdac+chopF
St4AJBCffsdl49TbQMYKUvTSIyUb5YeI8ixtFzwhhdGUZLEPDOvtOJNooCd1x/w=VRQC
-----END PGP SIGNATURE-----

On Fri, 16 Sep 2011 12:29:56 -0500, Xin LI <delphij@delphij.net> wrote:
> LDAP?  (We do currently have some work on LDAP integration but not
> sure if the community would be interested -- this would need an import
> of stripped down OpenLDAP) and modifies OpenSSH to support public key
> in LDAP directory.
All of this would be greatly appreciated by myself and my fellow coworkers.

On 09/16/2011 11:05 AM, Dag-Erling Sm?rgrav wrote:
>?My question is: which ones?
security/pam_ssh_agent_auth

It is BSD licensed and handy for sudo.

-Corey Smith

2011/9/16 Dag-Erling Sm?rgrav <des@des.no>:
> We currently have a number of PAM modules in ports, and while some of
> them are specific to certain third-party software, many aren't. ?I
> believe we would benefit from importing at least some of these into
> base. ?My question is: which ones?
Perhaps google authenticator?
http://code.google.com/p/google-authenticator/
http://www.freebsd.org/cgi/url.cgi?ports/security/pam_google_authenticator/pkg-descr

2011/9/16 Dag-Erling Sm?rgrav <des@des.no>
> We currently have a number of PAM modules in ports, and while some of
> them are specific to certain third-party software, many aren't.  I
> believe we would benefit from importing at least some of these into
> base.  My question is: which ones?
>
> DES
> --
> Dag-Erling Sm?rgrav - des@des.no
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org
> "
>
Another vote for LDAP

On 09/16/2011 08:05 AM, Dag-Erling Sm?rgrav wrote:
> We currently have a number of PAM modules in ports, and while some of
> them are specific to certain third-party software, many aren't.  I
> believe we would benefit from importing at least some of these into
> base.  My question is: which ones?
>
> DES
LDAP support out of the box would be fantastic.

Mike C

On 09/16/11 17:05, Dag-Erling Sm?rgrav:
> My question is: which ones?
An anti-brutal force module would be nice.

security/pam_af is my favorite. Configurable, fast, BSD license.

Dan

On Sep 16, 2011 10:21 AM, "Dag-Erling Sm?rgrav" <des@des.no>
wrote:
>
> We currently have a number of PAM modules in ports, and while some of
> them are specific to certain third-party software, many aren't.  I
> believe we would benefit from importing at least some of these into
> base.  My question is: which ones?
>
> DES
> --
> Dag-Erling Sm?rgrav - des@des.no
+1 for LDAP

-Brandon

Hello, Xin.
You wrote 16 ???????? 2011 ?., 21:29:56:
> LDAP?  (We do currently have some work on LDAP integration but not
> sure if the community would be interested -- this would need an import
> of stripped down OpenLDAP) and modifies OpenSSH to support public key
> in LDAP directory.
 Minimal ldap client, nss/pam_ldap and SSH keys in LDAP out-of-box is
great!
 But it is disagree with trend to stirp-down base system :(


-- 
// Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>

On 9/16/2011 3:10 PM, Corey Smith wrote:
> On 09/16/2011 11:05 AM, Dag-Erling Sm?rgrav wrote:
>>  My question is: which ones?
> 
> security/pam_ssh_agent_auth
> 
> It is BSD licensed and handy for sudo.

Neato, I didnt know of this module for sudo!  However, with the default
install on AMD64, I am getting coredump.

I added


 # auth
 auth           include         system
-
+auth           sufficient      /usr/local/lib/pam_ssh_agent_auth.so
file=/etc/sudokeys debug
 # account
 account                include         system

to /usr/local/etc/pam.d/sudo

and added

--- sudoers.sample      2011-09-19 13:24:56.000000000 -0400
+++ sudoers     2011-09-19 13:29:17.000000000 -0400
@@ -62,6 +62,10 @@
 ## Uncomment to enable special input methods.  Care should be taken as
 ## this may allow users to subvert the command being run via sudo.
 # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE
QT_IM_SWITCHER"
+
+Defaults env_keep += SSH_AUTH_SOCK
+
+


I must be missing something obvious?

	---Mike


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

On 9/19/2011 2:00 PM, Mike Tancsa wrote:
> On 9/16/2011 3:10 PM, Corey Smith wrote:
>> On 09/16/2011 11:05 AM, Dag-Erling Sm?rgrav wrote:
>>>  My question is: which ones?
>>
>> security/pam_ssh_agent_auth
>>
>> It is BSD licensed and handy for sudo.
> 
> 
> Neato, I didnt know of this module for sudo!  However, with the default
> install on AMD64, I am getting coredump.
Actually, I tried the same setup on i386 and it seems to work just fine.
 However, on an AMD64 machine, sudo just coredumps.  Anyone running this
setup on amd64 ?

Running with -D9, normally it looks something like

% sudo -D9 su
sudo: settings: debug_level=9
sudo: settings: progname=sudo
sudo: settings: network_addrs=....
sudo: sudo_mode 1
sudo: policy plugin returns 1
sudo: command info: umask=022
sudo: command info: command=/usr/bin/su
sudo: command info: runas_uid=0
sudo: command info: runas_gid=0
sudo: command info: runas_groups=0,5
sudo: command info: closefrom=3
sudo: command info: set_utmp=true
sudo: command info: login_class=default

where as on amd64,

% sudo -D9 su
sudo: settings: debug_level=9
sudo: settings: progname=sudo
sudo: settings: network_addrs=....
sudo: sudo_mode 1
Segmentation fault

It seems to die in the call to

static int
policy_check(struct plugin_container *plugin, int argc, char * const argv[],
    char *env_add[], char **command_info[], char **argv_out[],
    char **user_env_out[])
{
    return plugin->u.policy->check_policy(argc, argv, env_add,
command_info,
        argv_out, user_env_out);
}


I cant get it to coredump since its setuid.  Before I start adding more
debug printfs, does anyone have any suggestions as to what it might be ?


	---Mike

> 
> I added
> 
> 
>  # auth
>  auth           include         system
> -
> +auth           sufficient      /usr/local/lib/pam_ssh_agent_auth.so
> file=/etc/sudokeys debug
>  # account
>  account                include         system
> 
> to /usr/local/etc/pam.d/sudo
> 
> and added
> 
> --- sudoers.sample      2011-09-19 13:24:56.000000000 -0400
> +++ sudoers     2011-09-19 13:29:17.000000000 -0400
> @@ -62,6 +62,10 @@
>  ## Uncomment to enable special input methods.  Care should be taken as
>  ## this may allow users to subvert the command being run via sudo.
>  # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE
> QT_IM_SWITCHER"
> +
> +Defaults env_keep += SSH_AUTH_SOCK
> +
> +
> 
> 
> I must be missing something obvious?
> 
> 	---Mike
> 
> 

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

On Tue, Sep 20, 2011 at 03:13:32PM -0400, Mike Tancsa
wrote:
> On 9/19/2011 2:00 PM, Mike Tancsa wrote:
> > On 9/16/2011 3:10 PM, Corey Smith wrote:
> >> On 09/16/2011 11:05 AM, Dag-Erling Sm?rgrav wrote:
> >>>  My question is: which ones?
> >>
> >> security/pam_ssh_agent_auth
> >>
> >> It is BSD licensed and handy for sudo.
> > 
> > 
> > Neato, I didnt know of this module for sudo!  However, with the
default
> > install on AMD64, I am getting coredump.
> 
> Actually, I tried the same setup on i386 and it seems to work just fine.
>  However, on an AMD64 machine, sudo just coredumps.  Anyone running this
> setup on amd64 ?
> 
> Running with -D9, normally it looks something like
> 
> % sudo -D9 su
> sudo: settings: debug_level=9
> sudo: settings: progname=sudo
> sudo: settings: network_addrs=....
> sudo: sudo_mode 1
> sudo: policy plugin returns 1
> sudo: command info: umask=022
> sudo: command info: command=/usr/bin/su
> sudo: command info: runas_uid=0
> sudo: command info: runas_gid=0
> sudo: command info: runas_groups=0,5
> sudo: command info: closefrom=3
> sudo: command info: set_utmp=true
> sudo: command info: login_class=default
> 
> where as on amd64,
> 
> % sudo -D9 su
> sudo: settings: debug_level=9
> sudo: settings: progname=sudo
> sudo: settings: network_addrs=....
> sudo: sudo_mode 1
> Segmentation fault
> 
> It seems to die in the call to
> 
> static int
> policy_check(struct plugin_container *plugin, int argc, char * const
argv[],
>     char *env_add[], char **command_info[], char **argv_out[],
>     char **user_env_out[])
> {
>     return plugin->u.policy->check_policy(argc, argv, env_add,
command_info,
>         argv_out, user_env_out);
> }
> 
> 
> I cant get it to coredump since its setuid.  Before I start adding more
> debug printfs, does anyone have any suggestions as to what it might be ?
If you do

sysctl kern.sugid_coredump=1

can you get a coredump?

Gary

On 9/20/2011 3:21 PM, Gary Palmer wrote:
> 
> If you do
> 
> sysctl kern.sugid_coredump=1
> 
> can you get a coredump?

Tried that too.

% sysctl -a | grep core
kern.corefile: %N.core
kern.nodump_coredump: 0
kern.coredump: 1
kern.sugid_coredump: 1
debug.elf64_legacy_coredump: 1
debug.elf32_legacy_coredump: 1

Actually, my mistake on i386. It seems the plugin works with

sudo-1.8.1_5

but not 1.8.2

Seems to die in the function policy_check in sudo.c


    return plugin->u.policy->check_policy(argc, argv, env_add,
command_info,
        argv_out, user_env_out);
}




	---Mike
-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

On Tue, Sep 20, 2011 at 4:08 PM, Mike Tancsa <mike@sentex.net>
wrote:
> Seems to die in the function policy_check in sudo.c
I am able to reproduce it as well on 8.2-RELEASE amd64,
pam_ssh_agent_auth-0.9.3 and sudo-1.8.2.

I wonder if this change from dragonfly would work in FreeBSD:

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/5c627295bf5ad6364bd3914b62c1075f370443d6

-Corey Smith

On 9/20/2011 5:39 PM, Corey Smith wrote:
> On Tue, Sep 20, 2011 at 4:08 PM, Mike Tancsa <mike@sentex.net> wrote:
>> Seems to die in the function policy_check in sudo.c
> 
> I am able to reproduce it as well on 8.2-RELEASE amd64,
> pam_ssh_agent_auth-0.9.3 and sudo-1.8.2.
> 
I posted the question on the sudo list and there seems to be a work
around posted there!

http://www.sudo.ws/pipermail/sudo-users/2011-September/004831.html

	---Mike


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

On 09/16/2011 08:05, Dag-Erling Sm?rgrav wrote:
> We currently have a number of PAM modules in ports, and while some of
> them are specific to certain third-party software, many aren't.  I
> believe we would benefit from importing at least some of these into
> base.  My question is: which ones?
For the sake of having the opposing viewpoint represented, I'm opposed
to importing more of this stuff into the base. Given that it works just
fine as it is, the benefits of importing it would have to overwhelmingly
compensate for the negatives of having to keep them up to date in the base.

Taking ldap as an example, the subset of our users who need this
functionality are already able to get it from the ports tree, where it
is easier to keep up to date across multiple FreeBSD versions.


Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/