Edgar, Bob
2003-Nov-17 16:45 UTC
3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwords
Greetings,
I know that part of the following has been discussed here before but
please bear with me.
We are running on Solaris versions 2.6 - 9 with a NISplus name service.
The permissions on the NISplus password map have been modified to
limit read access to the encrypted password field of the passwd table
to only the entry owner and the table administrators. See:
http://docs.sun.com/db/doc/801-6633/6i10dhc35?a=view
This modification means that only a validated user can see the encrypted
password field and further the user can see _only_ his or her own
password, all other entries are returned as "*NP*".
This behavior poses a chicken and egg problem: how can a user be
authenticated when the password field is not visible? The PAM stack
handles this by treating the supplied password as the key used to
decrypt the user's secret key used when issuing requests to any secure
RPC services.
What all of the above means in terms of OpenSSH is that
PasswordAuthentication will not function and that UsePAM is required.
While this functions properly for normal users it has one very negative
security implication with respect to root logins: PermitRootLogin is
not respected when UsePAM is in effect. I submit that ignoring the
PermitRootLogin directive is counter intuitive and that doing so opens
a serious security hole for the unwary. As this behavior is documented
it can be considered a feature but I would like to propose that this
decision be revisited in light of the above.
Pam support is now in keyboard-interactive and I have looked at the code
enough to realize that the change is not "obvious by inspection". I
would
greatly appreciate any help anyone (Darren Tucker?) might provide in
generating a patch that implements PermitRootLogin with UsePAM.
Thanks for your time and apologies if the above is unclear or incorrect.
bob
The legal word:
"This message only reflects the personal opinion of the author and
must not be regarded as or considered to be any form of reference
to the opinion of the Commerzbank AG or any of its affiliated
companies."
On the other hand, it probably doesn't accurately reflect the author's
opinion either, but that's another story. So it goes.
Copyright (C) 2003 MrBob, no rights reserved.
Damien Miller
2003-Nov-17 23:50 UTC
3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwords
Edgar, Bob wrote:> What all of the above means in terms of OpenSSH is that > PasswordAuthentication will not function and that UsePAM is required. > While this functions properly for normal users it has one very negative > security implication with respect to root logins: PermitRootLogin is > not respected when UsePAM is in effect. I submit that ignoring the > PermitRootLogin directive is counter intuitive and that doing so opens > a serious security hole for the unwary. As this behavior is documented > it can be considered a feature but I would like to propose that this > decision be revisited in light of the above.What is the problem with PermitRootLogin and UsePAM=yes? It works fine for me. -d
Apparently Analagous Threads
- 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
- PermitRootLogin without-password functionality differs for UsePAM yes/no option
- openssh and pam_ldap
- Questions about sshd_config man page and comments in the file
- AuthorizedKeysFile with default value prevents Public/Private key authentication