openssh and pam_ldap
Michael Thomas
thomas at hep.caltech.edu
Wed Sep 12 05:55:10 UTC 2007
Hi Jon,
We have a relatively small number of users (~15) and a medium number of
hosts that need this access control (~60), so I figured maintaining the
user <-> host mappings manually would not be too difficult. But the use
of netgroups seems like it would make things even simpler. In addition
to some standard netgroups (developers, admins), I can also define a
separate netgroup for certain individual hosts, and maintain a list of
additional users who are allowed to access that host via the netgroup
defined in ldap.
Thanks for the pointer,
--Mike
Jon Miller wrote:
> At my last workplace, we used the host attribute to control access as
> well. Long story short, we saw the same problem you are describing but
> not before I left to take a new job at another company.
>
> At my current job, I'm actually helping to roll out an LDAP
> implementation. We are using the pam_access module to control access
> to machines. What you typically do, with this module, is setup a
> netgroup in LDAP and then grant the netgroup access in your
> access.conf file which pam_acess uses. It is a more elegant solution,
> IMO.
>
> Let's say you setup a new database server and need to permit all of
> your DBAs access. With the host attribute method, you would update
> every DBA's list of hosts. Very manual procedure which gets old quick.
> By using netgroups, you simply state that the dba's netgroup is
> allowed to log into that machine. This method has similar benefits for
> when you hire a new DBA.
>
> -- Jon Miller
>
> A bit off topic, but do you delegate permissions via sudo? If so, did
> you know you can specify a group of people via a netgroup? Combine
> this style of delegation with your host control and then you can
> controlling host access as well as sudo permissions by simply adding /
> removing people from a netgroup.
>
> On 9/11/07, Michael Thomas <thomas at hep.caltech.edu> wrote:
>> I've been fighting with this problem for a couple of days now and
>> thought it was time to appeal to the experts...
>>
>> I'm using RHEL4 with pam_ldap to authenticate users who do not have
>> local accounts. This works. I'm also using pam_check_host_attr in
>> ldap.conf to limit who is allowed to log into a host based on their host
>> attribute in ldap. This also works, mostly.
>>
>> When users log in using their ldap password, that is, when ssh prompts
>> them for their password, the host-based access control provided by
>> pam_check_host_attr works. Users who don't have the proper ldap host
>> attribute are denied access.
>>
>> But as soon as a user puts a public key in ~/.ssh/authorized_keys,
>> pam_check_host_attr stops working. Regardless of what is in their ldap
>> host attribute, openssh lets them in. I want to allow (and encourage)
>> the use of authorized_keys files for logging into the machines, but I
>> also want to retain control of which machines they can log into by using
>> the host attribute in their ldap entry.
>>
>> I've tried changing ChallengeResponseAuthentication to 'yes', but then
>> users are always prompted for their password. I've also tried adding
>> the 'debug' option to pam_ldap.so and directing all *.debug messages in
>> syslog to /var/log/debug, but I don't see anything appear from pam_ldap.
>>
>> Is it possible to allow ssh key-based authentication, but still prohibit
>> logins based on the ldap host attribute?
>>
>> --Mike
>>
>> sshd_config contains:
>>
>> Protocol 2
>> SyslogFacility AUTHPRIV
>> ChallengeResponseAuthentication no
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>> UsePAM yes
>> X11Forwarding yes
>> Subsystem sftp /usr/libexec/openssh/sftp-server
>>
>> /etc/pam.d/system-auth contains:
>>
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required /lib/security/$ISA/pam_env.so
>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
>> auth required /lib/security/$ISA/pam_deny.so
>>
>> account required /lib/security/$ISA/pam_unix.so broken_shadow
>> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
>> quiet
>> account [default=bad success=ok user_unknown=ignore]
>> /lib/security/$ISA/pam_ldap.so
>> account required /lib/security/$ISA/pam_permit.so
>>
>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>> password required /lib/security/$ISA/pam_deny.so
>>
>> session required /lib/security/$ISA/pam_mkhomedir.so
>> skel=/etc/skel/ umask=0022
>> session required /lib/security/$ISA/pam_limits.so
>> session required /lib/security/$ISA/pam_unix.so
>> session optional /lib/security/$ISA/pam_ldap.so
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>>
More information about the Pam-list
mailing list