NetBSD Problem Report #43161
From www@NetBSD.org Wed Apr 14 01:09:29 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 35F1363BCF6
for <gnats-bugs@gnats.NetBSD.org>; Wed, 14 Apr 2010 01:09:29 +0000 (UTC)
Message-Id: <20100414010928.CD7A263B8BC@www.NetBSD.org>
Date: Wed, 14 Apr 2010 01:09:28 +0000 (UTC)
From: aaron.turner@equinix.com
Reply-To: aaron.turner@equinix.com
To: gnats-bugs@NetBSD.org
Subject: pam_ldap: does not enforce pam_groupdn, allows all users to login
X-Send-Pr-Version: www-1.0
>Number: 43161
>Category: security
>Synopsis: pam_ldap: does not enforce pam_groupdn, allows all users to login
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: security-officer
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Apr 14 01:10:01 +0000 2010
>Closed-Date: Wed Mar 30 16:36:34 +0000 2011
>Last-Modified: Wed Mar 30 16:36:34 +0000 2011
>Originator: Aaron Turner
>Release: 5.0.1
>Organization:
Equinix
>Environment:
NetBSD edrs-netbsd-i386 5.0.1 NetBSD 5.0.1 (GENERIC.TCP-MD5) #0: Tue Feb 23 17:02:35 PST 2010 mdo@edrs-netbsd-i386:/usr/objdir/sys/arch/i386/compile/GENERIC.TCP-MD5 i386
>Description:
You probably should first read PR security/43160 as that has some additional information about my setup.
Long story short, the pam_ldap module build from pkgsrc sees but does not enforce the pam_groupdn option in /usr/pkg/etc/ldap.conf. Logging in as a user via ssh which is not in the specified group results in the following:
-----
aturner@Macallan:~> ssh aaront@xxx.xxx.xxx.xxx
Password:
You must be a member of cn=netbsd,ou=Machines,dc=company,dc=com to login.
Last login: Tue Apr 13 17:32:18 2010 from macallan.foo.corp.company.com
NetBSD 5.0.1 (GENERIC.TCP-MD5) #0: Tue Feb 23 17:02:35 PST 2010
Welcome to NetBSD!
-bash-2.05b$
-----
/var/log/authlog reports:
Accepted keyboard-interactive/pam for aaront from xxx.xxx.xxx.xxx port 51848 ssh2
>How-To-Repeat:
Install pam_ldap and configure /etc/nsswitch.conf and /usr/pkg/etc/ldap.conf as specified in PR security/43160.
---- /etc/pam.d/sshd:
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_ldap.so try_first_pass
auth sufficient pam_skey.so no_warn try_first_pass
auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_krb5.so
account sufficient pam_ldap.so
account required pam_login_access.so
account required pam_unix.so
# session
# pam_ssh has potential security risks. See pam_ssh(8).
#session optional pam_ssh.so
session sufficient pam_ldap.so
session required pam_permit.so
# password
password sufficient pam_krb5.so no_warn try_first_pass
password sufficient pam_ldap.so try_first_pass
password required pam_unix.so no_warn try_first_pass
Then login remotely via ssh using a user that exists in LDAP but not in /etc/passwd.
>Fix:
N/A
>Release-Note:
>Audit-Trail:
From: "NetBSD's security officer tracking via RT" <security-replies@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: [NetBSD.org #29960] AutoReply: security/43161: pam_ldap: does not enforce pam_groupdn, allows all users to login
Date: Sun, 25 Apr 2010 21:53:20 +0000
Greetings,
This message has been automatically generated in response to the
creation of a trouble ticket regarding:
"security/43161: pam_ldap: does not enforce pam_groupdn, allows all users to login",
a summary of which appears below.
There is no need to reply to this message right now. Your ticket has been
assigned an ID of [NetBSD.org #29960].
Please include the string:
[NetBSD.org #29960]
in the subject line of all future correspondence about this issue. To do so,
you may reply to this message.
Thank you,
security-replies@rt.NetBSD.org
-------------------------------------------------------------------------
>Number: 43161
>Category: security
>Synopsis: pam_ldap: does not enforce pam_groupdn, allows all users to login
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: security-officer
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Apr 14 01:10:01 +0000 2010
>Originator: Aaron Turner
>Release: 5.0.1
>Organization:
Equinix
>Environment:
NetBSD edrs-netbsd-i386 5.0.1 NetBSD 5.0.1 (GENERIC.TCP-MD5) #0: Tue Feb 23 17:02:35 PST 2010 mdo@edrs-netbsd-i386:/usr/objdir/sys/arch/i386/compile/GENERIC.TCP-MD5 i386
>Description:
You probably should first read PR security/43160 as that has some additional information about my setup.
Long story short, the pam_ldap module build from pkgsrc sees but does not enforce the pam_groupdn option in /usr/pkg/etc/ldap.conf. Logging in as a user via ssh which is not in the specified group results in the following:
-----
aturner@Macallan:~> ssh aaront@xxx.xxx.xxx.xxx
Password:
You must be a member of cn=netbsd,ou=Machines,dc=company,dc=com to login.
Last login: Tue Apr 13 17:32:18 2010 from macallan.foo.corp.company.com
NetBSD 5.0.1 (GENERIC.TCP-MD5) #0: Tue Feb 23 17:02:35 PST 2010
Welcome to NetBSD!
-bash-2.05b$
-----
/var/log/authlog reports:
Accepted keyboard-interactive/pam for aaront from xxx.xxx.xxx.xxx port 51848 ssh2
>How-To-Repeat:
Install pam_ldap and configure /etc/nsswitch.conf and /usr/pkg/etc/ldap.conf as specified in PR security/43160.
---- /etc/pam.d/sshd:
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_ldap.so try_first_pass
auth sufficient pam_skey.so no_warn try_first_pass
auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_krb5.so
account sufficient pam_ldap.so
account required pam_login_access.so
account required pam_unix.so
# session
# pam_ssh has potential security risks. See pam_ssh(8).
#session optional pam_ssh.so
session sufficient pam_ldap.so
session required pam_permit.so
# password
password sufficient pam_krb5.so no_warn try_first_pass
password sufficient pam_ldap.so try_first_pass
password required pam_unix.so no_warn try_first_pass
Then login remotely via ssh using a user that exists in LDAP but not in /etc/passwd.
>Fix:
N/A
State-Changed-From-To: open->feedback
State-Changed-By: drochner@NetBSD.org
State-Changed-When: Tue, 15 Mar 2011 21:48:28 +0000
State-Changed-Why:
this looks like a pilot error: the "sufficient" in the "account" rule
tells PAM to continue on error. What works instead is
account required pam_ldap.so ignore_unknown_user
State-Changed-From-To: feedback->closed
State-Changed-By: drochner@NetBSD.org
State-Changed-When: Wed, 30 Mar 2011 16:36:34 +0000
State-Changed-Why:
submitter doesn't respond. Problem is caused by wrong configuration.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.