Date: Fri, 7 Feb 2014 17:53:07 GMT From: Pete Fritchman <petef@databits.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/186545: [PATCH] security/sssd: add ignore_unknown_user option to pam_sss Message-ID: <201402071753.s17Hr74q038267@newred.freebsd.org> Resent-Message-ID: <201402071800.s17I01Jm002828@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 186545
>Category: ports
>Synopsis: [PATCH] security/sssd: add ignore_unknown_user option to pam_sss
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Feb 07 18:00:01 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Pete Fritchman
>Release: 10.0-RELEASE
>Organization:
>Environment:
FreeBSD zzz 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014 root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
When using pam_sss for HBAC (host-based access control), pam_sss must be marked as required in the account PAM facility ("sufficient" is not OK - if pam_sss denies access to a known user, we can't allow pam_unix.so to return success later and let the user log in). Much like pam_ldap, pam_sss needs to be able to return PAM_IGNORE in the case of an unknown user to satisfy the "required" PAM configuration.
>How-To-Repeat:
install security/sssd, configure & run sssd, add to sshd's pam config:
account required /usr/local/lib/pam_sss.so
and try to log in with a local user account.
>Fix:
diff attached.
This has also been submitted to the upstream maintainers: https://fedorahosted.org/sssd/ticket/2232
successful pam account configuration with this patch:
account required pam_nologin.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user
This enforces HBAC rules on users that pam_sss knows about, and allows local users (e.g. root) to log in.
Patch attached with submission follows:
--- files/patch-src__sss_client__pam_sss.c.orig 2014-02-07 12:39:44.000000000 -0500
+++ files/patch-src__sss_client__pam_sss.c 2014-02-07 12:39:57.000000000 -0500
@@ -1,17 +1,14 @@
-From 86816db5982df0c1b0c5f5722e23111c62ff362e Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lukas.slebodnik@intrak.sk>
-Date: Sat, 27 Jul 2013 15:02:31 +0200
-Subject: [PATCH 31/34] patch-src__sss_client__pam_sss.c
-
----
- src/sss_client/pam_sss.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c
-index 3734c8f..7110d38 100644
---- src/sss_client/pam_sss.c
-+++ src/sss_client/pam_sss.c
-@@ -125,10 +125,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err)
+--- src/sss_client/pam_sss.c.orig 2013-11-06 13:35:03.000000000 -0500
++++ src/sss_client/pam_sss.c 2014-02-07 12:38:51.000000000 -0500
+@@ -52,6 +52,7 @@
+ #define FLAGS_USE_FIRST_PASS (1 << 0)
+ #define FLAGS_FORWARD_PASS (1 << 1)
+ #define FLAGS_USE_AUTHTOK (1 << 2)
++#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
+
+ #define PWEXP_FLAG "pam_sss:password_expired_flag"
+ #define FD_DESTRUCTOR "pam_sss:fd_destructor"
+@@ -125,10 +126,12 @@
static void close_fd(pam_handle_t *pamh, void *ptr, int err)
{
@@ -24,6 +21,22 @@
D(("Closing the fd"));
sss_pam_close_fd();
---
-1.8.0
-
+@@ -1292,6 +1295,8 @@
+ }
+ } else if (strcmp(*argv, "quiet") == 0) {
+ *quiet_mode = true;
++ } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
++ *flags |= FLAGS_IGNORE_UNKNOWN_USER;
+ } else {
+ logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
+ }
+@@ -1429,6 +1434,9 @@
+ ret = get_pam_items(pamh, &pi);
+ if (ret != PAM_SUCCESS) {
+ D(("get items returned error: %s", pam_strerror(pamh,ret)));
++ if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
++ ret = PAM_IGNORE;
++ }
+ return ret;
+ }
+
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402071753.s17Hr74q038267>