Hello openssh developers, long time no see :-) there is a bug in sshd with *nix machines joined to Active Directory using Samba's winbind daemon. The problem is that with cold caches, a user logging in via ssh gets possibly the wrong primary gid assigned. Let me try to explain in detail: In Active Directory (AD) you only get a correct access token (group memberships of a user) during authentication. Only a Domain Controller (DC) is able to calculate the access token as it as the required permission to collect the information in the forest. When Samba authenticates a user using winbindd. We either authenticate the user using Kerberos or NTLM. We get the access token sent back upon successful authentication and store it in a cache. All system calls like getent are answered looking up the information from that cache. On a new connection the openssh server checks if the connecting username exists using getpwnam() it then stores the 'struct passwd' in the session structure. If the gets authenticated using PAM through pam_winbind we authencticate the user against our DC, get correct access token and cache it. However the openssh server doesn't update the passwd structure after a successful PAM authentication, it sets up the user context (setuid, setgid, initgroups) using the outdated information stored in the session structure. The openssh server should update the passwd structure using getpwuid() before it sets up the users context (setuid, setgid, initgroups)! This is probably easy to fix, the question is when you want to call getpwuid() directly after a successful PAM conversation or before dropping privileges? Best regards, Andreas -- Andreas Schneider asn at cryptomilk.org GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
On Mon, 11 Feb 2019, Andreas Schneider wrote:> Hello openssh developers, > > long time no see :-) > > there is a bug in sshd with *nix machines joined to Active Directory using > Samba's winbind daemon. > > The problem is that with cold caches, a user logging in via ssh gets possibly > the wrong primary gid assigned. Let me try to explain in detail: > > In Active Directory (AD) you only get a correct access token (group > memberships of a user) during authentication. Only a Domain Controller (DC) is > able to calculate the access token as it as the required permission to collect > the information in the forest. > > When Samba authenticates a user using winbindd. We either authenticate the > user using Kerberos or NTLM. We get the access token sent back upon successful > authentication and store it in a cache. All system calls like getent are > answered looking up the information from that cache. > > On a new connection the openssh server checks if the connecting username > exists using getpwnam() it then stores the 'struct passwd' in the session > structure. > > If the gets authenticated using PAM through pam_winbind we authencticate the > user against our DC, get correct access token and cache it. However the > openssh server doesn't update the passwd structure after a successful PAM > authentication, it sets up the user context (setuid, setgid, initgroups) using > the outdated information stored in the session structure. > > The openssh server should update the passwd structure using getpwuid() before > it sets up the users context (setuid, setgid, initgroups)! > > This is probably easy to fix, the question is when you want to call getpwuid() > directly after a successful PAM conversation or before dropping privileges?I don't want to support struct passwd fiddling via PAM - it makes the server considerably more difficult to reason about. I'm pretty sure the other developers feel the same way. IMO a nis/nsswitch module is the right way to implement this sort of functionality. -d
On Tuesday, February 12, 2019 12:06:06 AM CET Damien Miller wrote:> On Mon, 11 Feb 2019, Andreas Schneider wrote: > > Hello openssh developers, > > > > long time no see :-) > > > > there is a bug in sshd with *nix machines joined to Active Directory using > > Samba's winbind daemon. > > > > The problem is that with cold caches, a user logging in via ssh gets > > possibly the wrong primary gid assigned. Let me try to explain in detail: > > > > In Active Directory (AD) you only get a correct access token (group > > memberships of a user) during authentication. Only a Domain Controller > > (DC) is able to calculate the access token as it as the required > > permission to collect the information in the forest. > > > > When Samba authenticates a user using winbindd. We either authenticate the > > user using Kerberos or NTLM. We get the access token sent back upon > > successful authentication and store it in a cache. All system calls like > > getent are answered looking up the information from that cache. > > > > On a new connection the openssh server checks if the connecting username > > exists using getpwnam() it then stores the 'struct passwd' in the session > > structure. > > > > If the gets authenticated using PAM through pam_winbind we authencticate > > the user against our DC, get correct access token and cache it. However > > the openssh server doesn't update the passwd structure after a successful > > PAM authentication, it sets up the user context (setuid, setgid, > > initgroups) using the outdated information stored in the session > > structure. > > > > The openssh server should update the passwd structure using getpwuid() > > before it sets up the users context (setuid, setgid, initgroups)! > > > > This is probably easy to fix, the question is when you want to call > > getpwuid() directly after a successful PAM conversation or before > > dropping privileges? > I don't want to support struct passwd fiddling via PAM - it makes the > server considerably more difficult to reason about. I'm pretty sure > the other developers feel the same way.I don't really see why a getpwuid() would make it more complex. As it seems not clear what I mean, see attached patch.> IMO a nis/nsswitch module is the right way to implement this sort of > functionality.We have a nss_winbind modules and it will provide correct user information after the user has been successfully authenticated. For that you need to read the user information after successful login. I hope the patch makes it clear. Best regards, Andreas -- Andreas Schneider asn at cryptomilk.org GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-session-Update-the-passwd-structure-after-successful.patch Type: text/x-patch Size: 1362 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190212/12856a01/attachment.bin>
Reasonably Related Threads
- Bug in Configurator.change_privilege?
- [PATCH v2 0/2] cifs.upcall: allow cifs.upcall to grab $KRB5CCNAME from initiating process
- [cifs-utils PATCH v3 0/4] cifs.upcall: allow cifs.upcall to scrape cache location initiating task's environment
- uidswap
- [cifs-utils PATCH v3 0/4] cifs.upcall: allow cifs.upcall to scrape cache location initiating task's environment