Edgar, Bob
2003-Nov-18 12:47 UTC
3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
It works for the "yes" case but not for the
"without-password" case.
The function that checks (auth_root_allowed(auth_method) is special
cased for "password". The Pam case sends
"keyboard-interactive/pam"
which like all other authentication methods except password succeeds.
Here is a patch to make it work for me. Please feel free to criticize
as appropriate.
bob
diff -r -u openssh-3.7.1p2-vanilla/auth.c openssh-3.7.1p2/auth.c
--- openssh-3.7.1p2-vanilla/auth.c Tue Sep 2 23:32:46 2003
+++ openssh-3.7.1p2/auth.c Mon Nov 17 20:32:45 2003
@@ -315,7 +315,8 @@
return 1;
break;
case PERMIT_NO_PASSWD:
- if (strcmp(method, "password") != 0)
+ if (strcmp(method, "password") != 0
+ && strcmp(method, "keyboard-interactive/pam")
!= 0)
return 1;
break;
case PERMIT_FORCED_ONLY:
diff -r -u openssh-3.7.1p2-vanilla/monitor.c openssh-3.7.1p2/monitor.c
--- openssh-3.7.1p2-vanilla/monitor.c Tue Sep 2 23:32:46 2003
+++ openssh-3.7.1p2/monitor.c Mon Nov 17 20:32:33 2003
@@ -306,7 +306,7 @@
authenticated = 0;
#ifdef USE_PAM
/* PAM needs to perform account checks after auth */
- if (options.use_pam) {
+ if (authenticated && options.use_pam) {
Buffer m;
buffer_init(&m);
-----Original Message-----
From: Damien Miller [mailto:djm at mindrot.org]
Sent: Dienstag, 18. November 2003 00:50
To: Edgar, Bob
Cc: openssh-unix-dev at mindrot.org
Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus
passwords
Edgar, Bob wrote:
> What all of the above means in terms of OpenSSH is that
> PasswordAuthentication will not function and that UsePAM is required.
> While this functions properly for normal users it has one very negative
> security implication with respect to root logins: PermitRootLogin is
> not respected when UsePAM is in effect. I submit that ignoring the
> PermitRootLogin directive is counter intuitive and that doing so opens
> a serious security hole for the unwary. As this behavior is documented
> it can be considered a feature but I would like to propose that this
> decision be revisited in light of the above.
What is the problem with PermitRootLogin and UsePAM=yes? It works fine
for me.
-d
-------------- next part --------------
A non-text attachment was scrubbed...
Name: root.patch
Type: application/octet-stream
Size: 847 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031118/90586e6c/attachment.obj
Darren Tucker
2003-Nov-18 14:09 UTC
3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
"Edgar, Bob" wrote:> > It works for the "yes" case but not for the "without-password" case. > The function that checks (auth_root_allowed(auth_method) is special > cased for "password". The Pam case sends "keyboard-interactive/pam" > which like all other authentication methods except password succeeds. > > Here is a patch to make it work for me. Please feel free to criticize > as appropriate.[snip patch] The catch is PAM might not use any kind of password, it might use a super-secure two-factor authentication or something. In that case, "without-password" would be misleading. Maybe we need a more general "AllowedRootAuthMethods" option? Maybe not. Perhaps "PermitRootLogin pubkey-only"? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Dan Yefimov
2003-Nov-18 14:46 UTC
3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
On Tue, 18 Nov 2003, Edgar, Bob wrote:> It works for the "yes" case but not for the "without-password" case. > The function that checks (auth_root_allowed(auth_method) is special > cased for "password". The Pam case sends "keyboard-interactive/pam" > which like all other authentication methods except password succeeds. > > Here is a patch to make it work for me. Please feel free to criticize > as appropriate. >This patch will actually disable ANY type of root authentication made with PAM, regardless of whether it is a password-based or something other. Instead of patching OpenSSH you could configure PAM with line as follows (true at least for Linux-PAM): auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers This line should be inserted before reference to any other module of type 'auth' that performs actual authentication. The file /etc/ssh/denyusers should contain the only line containing 'root'. For other platforms using PAM other module providing the like functionality could be used.> bob > > diff -r -u openssh-3.7.1p2-vanilla/auth.c openssh-3.7.1p2/auth.c > --- openssh-3.7.1p2-vanilla/auth.c Tue Sep 2 23:32:46 2003 > +++ openssh-3.7.1p2/auth.c Mon Nov 17 20:32:45 2003 > @@ -315,7 +315,8 @@ > return 1; > break; > case PERMIT_NO_PASSWD: > - if (strcmp(method, "password") != 0) > + if (strcmp(method, "password") != 0 > + && strcmp(method, "keyboard-interactive/pam") != 0) > return 1; > break; > case PERMIT_FORCED_ONLY: > diff -r -u openssh-3.7.1p2-vanilla/monitor.c openssh-3.7.1p2/monitor.c > --- openssh-3.7.1p2-vanilla/monitor.c Tue Sep 2 23:32:46 2003 > +++ openssh-3.7.1p2/monitor.c Mon Nov 17 20:32:33 2003 > @@ -306,7 +306,7 @@ > authenticated = 0; > #ifdef USE_PAM > /* PAM needs to perform account checks after auth */ > - if (options.use_pam) { > + if (authenticated && options.use_pam) { > Buffer m; > > buffer_init(&m); > > > > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Dienstag, 18. November 2003 00:50 > To: Edgar, Bob > Cc: openssh-unix-dev at mindrot.org > Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus > passwords > > > Edgar, Bob wrote: > > > What all of the above means in terms of OpenSSH is that > > PasswordAuthentication will not function and that UsePAM is required. > > While this functions properly for normal users it has one very negative > > security implication with respect to root logins: PermitRootLogin is > > not respected when UsePAM is in effect. I submit that ignoring the > > PermitRootLogin directive is counter intuitive and that doing so opens > > a serious security hole for the unwary. As this behavior is documented > > it can be considered a feature but I would like to propose that this > > decision be revisited in light of the above. > > What is the problem with PermitRootLogin and UsePAM=yes? It works fine > for me. >-- Sincerely Your, Dan.
Edgar, Bob
2003-Nov-18 15:24 UTC
3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
First: yes, the patch disables root login for all PAM. But that's ok. Why? If "PermitRootLogin yes" is set then the behavior is as before. The patch gives an admin the choice to block all PAM/root logins (which are typically normal, plain vanilla, password logins). If more flexibility is required then the "yes" value will allow the PAM stack to decide. The PAM solution is clearly an option (thanks!) but not here (and I suspect many other sites as well). We have several hundred servers that would need to have a change to the PAM configuration. Sun doesn't supply a PAM module that supports the functionality required (at least, none that I am aware of) which means finding one or building one in-house. This option brings with it the usual risks with any development and is for that reason not attractive. Darren Tucker's comment about being misleading is, of course, true but I find the current state misleading as well but more dangerous. The system admin has configured the system and thinks that root logins with password are disabled but in fact they are not. Yes, as I acknowledged in my first post, it is documented so it is technically not a bug but this is the real world and I think the least surprises rule should apply here. bob -----Original Message----- From: Dan Yefimov [mailto:dan at D00M.integrate.com.ru] Sent: Dienstag, 18. November 2003 15:46 To: Edgar, Bob Cc: openssh-unix-dev at mindrot.org Subject: RE: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds On Tue, 18 Nov 2003, Edgar, Bob wrote:> It works for the "yes" case but not for the "without-password" case. > The function that checks (auth_root_allowed(auth_method) is special > cased for "password". The Pam case sends "keyboard-interactive/pam" > which like all other authentication methods except password succeeds. > > Here is a patch to make it work for me. Please feel free to criticize > as appropriate. >This patch will actually disable ANY type of root authentication made with PAM, regardless of whether it is a password-based or something other. Instead of patching OpenSSH you could configure PAM with line as follows (true at least for Linux-PAM): auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers This line should be inserted before reference to any other module of type 'auth' that performs actual authentication. The file /etc/ssh/denyusers should contain the only line containing 'root'. For other platforms using PAM other module providing the like functionality could be used.> bob > > diff -r -u openssh-3.7.1p2-vanilla/auth.c openssh-3.7.1p2/auth.c > --- openssh-3.7.1p2-vanilla/auth.c Tue Sep 2 23:32:46 2003 > +++ openssh-3.7.1p2/auth.c Mon Nov 17 20:32:45 2003 > @@ -315,7 +315,8 @@ > return 1; > break; > case PERMIT_NO_PASSWD: > - if (strcmp(method, "password") != 0) > + if (strcmp(method, "password") != 0 > + && strcmp(method, "keyboard-interactive/pam") != 0) > return 1; > break; > case PERMIT_FORCED_ONLY: > diff -r -u openssh-3.7.1p2-vanilla/monitor.c openssh-3.7.1p2/monitor.c > --- openssh-3.7.1p2-vanilla/monitor.c Tue Sep 2 23:32:46 2003 > +++ openssh-3.7.1p2/monitor.c Mon Nov 17 20:32:33 2003 > @@ -306,7 +306,7 @@ > authenticated = 0; > #ifdef USE_PAM > /* PAM needs to perform account checks after auth*/> - if (options.use_pam) { > + if (authenticated && options.use_pam) { > Buffer m; > > buffer_init(&m); > > > > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Dienstag, 18. November 2003 00:50 > To: Edgar, Bob > Cc: openssh-unix-dev at mindrot.org > Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus > passwords > > > Edgar, Bob wrote: > > > What all of the above means in terms of OpenSSH is that > > PasswordAuthentication will not function and that UsePAM is required. > > While this functions properly for normal users it has one very negative > > security implication with respect to root logins: PermitRootLogin is > > not respected when UsePAM is in effect. I submit that ignoring the > > PermitRootLogin directive is counter intuitive and that doing so opens > > a serious security hole for the unwary. As this behavior is documented > > it can be considered a feature but I would like to propose that this > > decision be revisited in light of the above. > > What is the problem with PermitRootLogin and UsePAM=yes? It works fine > for me. >-- Sincerely Your, Dan.
Edgar, Bob
2003-Nov-18 17:11 UTC
3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
In principal, yes, but there are two points to consider. One is that the behavior of SSH changed from 3.5 (3.6?) to 3.7. It is not possible to implement to old behavior without adding a new PAM module and changing the PAM configuration at least on Solaris systems. It should also be noted that the same design change breaks connectivity with older versions of ssh.com client which don't support challenge-response. Remember too that I don't have an alternative to using PAM, the protected password fields in NIS+ (a good thing IMHO) require it. The second is that (at least to my knowledge) other programs like telnet, ftp and login do not rely upon the PAM stack for this purpose but have their own option to permit or forbid root access. This is still the behavior when SSH does it's password auth. Here again is the situation: UsePAM yes is incompatible with PasswordAuthentication. Currently "UsePAM yes" enabled has "PermitRootLogin yes" exhibiting the same behavior as "PermitRootLogin without-password" (what the PAM stack allows is ok). The change I submitted modifies the behavior for "PAM yes" and "PermitRootLogin without-password" to allow the administrator to block root access via PAM. The "PermitRootLogin yes" still follows the decision made by the PAM stack and thus allows for fancy authentication thingies. This change allows older configurations to continue to work without modification to the PAM config or additional modules without removing any functionality or control in the current implementation. If someone can provide a better fix for the problem described I'd be more than happy to adopt it. In the mean time, thanks for your time and comments. bob -----Original Message----- From: Markus Friedl [mailto:markus at openbsd.org] Sent: Dienstag, 18. November 2003 17:16 To: Darren Tucker Cc: Edgar, Bob; openssh-unix-dev at mindrot.org Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds On Wed, Nov 19, 2003 at 01:09:18AM +1100, Darren Tucker wrote:> "Edgar, Bob" wrote: > > > > It works for the "yes" case but not for the "without-password" case. > > The function that checks (auth_root_allowed(auth_method) is special > > cased for "password". The Pam case sends "keyboard-interactive/pam" > > which like all other authentication methods except password succeeds. > > > > Here is a patch to make it work for me. Please feel free to criticize > > as appropriate. > [snip patch] > > The catch is PAM might not use any kind of password, it might use a > super-secure two-factor authentication or something. In that case, > "without-password" would be misleading. > > Maybe we need a more general "AllowedRootAuthMethods" option? Maybe not. > Perhaps "PermitRootLogin pubkey-only"?IMHO it's PAM's job to control access if PAM is used.
Possibly Parallel Threads
- 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwords
- "PermitRootLogin no" fails
- PermitRootLogin without-password functionality differs for UsePAM yes/no option
- [Bug 647] Setting "UsePAM no" in sshd_config gives error if not config'ed w/ --with-pam
- unexpected change in "locked account" behaviour