[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Nightmare : pam_autologin



On Mon, Apr 29, 2002 at 09:07:09PM +1000, Tim Johnston wrote:

> I appreciate that there are security issues involved with this, but in my
> situation it's necessary to do this to set up single-purpose workstations.
> That is, terminals that when turned on, start up and run particular
> programs, and logout when that program exits. There are endless practical
> applications for this - information booths,  data entry terminals, and so
> on, where you want a machine to have a particular single function, and you
> particularly care who operates it.  I beilieve that this is important, vital
> even, but clearly not many other people feel the same way, or there would
> already be a solution available.

If it has a hard drive, you can also set up workstations to do automatic
network logins using, e.g., ssh keys.  You can do this even if you don't
have a local hard drive, though some of the security goes out the window 
when you're reading your ssh private key across NFS. :)

> So, much as I was reluctant to do this, I've done something myself -
> shamelessly cobbled together from various other modules. And guess what ? It
> works ! It does what I want it to do. But I thought that I should bounce
> this of this mailing list to see if persons more knowledgable than myself
> can assist in improving this. I'm aware that the code is rough, in
> particular, I was uncertain about how to finish and grant access. As I say,
> what is here works, but maybe it can be improved.

> The idea is : a configuration file, hard coded as /etc/autologin.conf as
> follows:

>    machine1.test.net    boris
>    ttyS1  natasha

> There are two "fields" to the file. The first is either an IP or TTY, the
> second entry is the user to be logged in as.

> /etc/pam.d/login has as it's first line:

>      auth       sufficient   /lib/security/pam_autologin.so

> pam_autologin checks that the config file exists, that it is owned by user
> and group root, and has permissions of 0600. If so, if either the tty or the
> IP matches the first field, the connecting terminal is logged in as the user
> in the second field. If pam_autologin logs the user in, this is logged, if
> not, control passes silently to the other modules in the /etc/pam.d/login
> stack.

Two concerns with the above.  First, you don't have any distinguishing
tags to differentiate hostnames from tty's.  If I know you're using this
module on a server, I can subvert your security by configuring my DNS to
say I have a hostname of 'ttyS1'.  Second, why are you insisting on
permissions of 0600?  This is against Debian policy regarding config
files, for instance, and it really doesn't buy you much in the way of
security: if I have enough access to the system that I can see
/etc/autologin.conf is present, I can probably also watch the system and
see what users are getting access from what hostnames/tty's: it wouldn't
take an attacker long to gather enough information this way to be
useful.

> **** As shown, the config file uses DNS names, following the available item
> "retval = pam_get_item (pamh, PAM_RHOST, (const void **)&current);", but
> really I would have preferred to use IPs, to avoid the extra step of name
> lookups. Anyone know how to do this ?

The DNS lookup has already been done for you by PAM, so not using it
doesn't save you anything.  However, see above regarding the dangers of
DNS spoofing here.

Regards,
Steve Langasek
postmodern programmer

Attachment: pgp00004.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []