When using pam_sss for HBAC (host-based access control), pam_sss must be marked as required in the account PAM facility ("sufficient" is not OK - if pam_sss denies access to a known user, we can't allow pam_unix.so to return success later and let the user log in). Much like pam_ldap, pam_sss needs to be able to return PAM_IGNORE in the case of an unknown user to satisfy the "required" PAM configuration. Fix: diff attached. This has also been submitted to the upstream maintainers: https://fedorahosted.org/sssd/ticket/2232 successful pam account configuration with this patch: account required pam_nologin.so account required pam_login_access.so account required pam_unix.so account required /usr/local/lib/pam_sss.so ignore_unknown_user This enforces HBAC rules on users that pam_sss knows about, and allows local users (e.g. root) to log in. Patch attached with submission follows: How-To-Repeat: install security/sssd, configure & run sssd, add to sshd's pam config: account required /usr/local/lib/pam_sss.so and try to log in with a local user account.
Maintainer of security/sssd, Please note that PR ports/186545 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/186545 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
On Fri, Feb 07, 2014 at 06:00:08PM +0000, Edwin Groothuis wrote: > Maintainer of security/sssd, > > Please note that PR ports/186545 has just been submitted. > > If it contains a patch for an upgrade, an enhancement or a bug fix > you agree on, reply to this email stating that you approve the patch > and a committer will take care of it. > > The full text of the PR can be found at: > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/186545 > You are right. It is not possible to obtain the same behaviour like on linux. Openpam does not recognise following syntax. account [default=bad success=ok user_unknown=ignore] pam_sss.so This is the same problem like another PR http://www.freebsd.org/cgi/query-pr.cgi?pr=184464. I communicated with reporter privately and I have a prepared patch. It will be part of work on including openpam into sssd, because sssd is heavily patched on FreeBSD. BTW your patch solves the main issue, but there are another corner cases you did not identified. Thank you very much for report. I will wait until accepting solution by upstream. LS
On Sat, Feb 08, 2014 at 12:39:08PM +0100, Lukas Slebodnik wrote: > You are right. It is not possible to obtain the same behaviour like on linux. > Openpam does not recognise following syntax. > > account [default=bad success=ok user_unknown=ignore] pam_sss.so > > This is the same problem like another PR > http://www.freebsd.org/cgi/query-pr.cgi?pr=184464. > > I communicated with reporter privately and I have a prepared patch. It will be > part of work on including openpam into sssd, because sssd is heavily patched > on FreeBSD. > > BTW your patch solves the main issue, but there are another corner cases you did > not identified. > > Thank you very much for report. I will wait until accepting solution by > upstream. Patch was accepted in upstream with small changes a week ago. Attached is patch for ports. LS
Responsible Changed From-To: freebsd-ports-bugs->feld I'll take it.
Author: feld Date: Wed May 7 14:18:54 2014 New Revision: 353157 URL: http://svnweb.freebsd.org/changeset/ports/353157 QAT: https://qat.redports.org/buildarchive/r353157/ Log: - rc script now passes rclint - rc script creates dirs in /var before launching daemon - add patch from upstream to match behavior of sssd on Linux https://fedorahosted.org/sssd/ticket/2232 PR: ports/186545 Sponsored by: SupraNet Communications, Inc Added: head/security/sssd/files/patch-src__man__pam_sss.8.xml (contents, props changed) Modified: head/security/sssd/Makefile head/security/sssd/files/patch-src__sss_client__pam_sss.c head/security/sssd/files/sssd.in Modified: head/security/sssd/Makefile ============================================================================== --- head/security/sssd/Makefile Wed May 7 14:11:35 2014 (r353156) +++ head/security/sssd/Makefile Wed May 7 14:18:54 2014 (r353157) @@ -3,7 +3,7 @@ PORTNAME= sssd DISTVERSION= 1.9.6 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= https://fedorahosted.org/released/${PORTNAME}/ \ http://mirrors.rit.edu/zi/ @@ -108,4 +108,10 @@ post-install: (cd ${STAGEDIR}${PREFIX}/lib && ${LN} -s pam_sss.so pam_sss.so.5) @${RM} -f ${STAGEDIR}${PREFIX}/lib/ldb/memberof.la + # clean these up from the install; we create them in rc script start_precmd +.for VARDIRS in db/sss db/sss_mc log/sssd run/sss/krb5.include.d run/sss/private run/sss + @${RMDIR} ${STAGEDIR}/var/${VARDIRS} +.endfor + + .include <bsd.port.post.mk> Added: head/security/sssd/files/patch-src__man__pam_sss.8.xml ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__man__pam_sss.8.xml Wed May 7 14:18:54 2014 (r353157) @@ -0,0 +1,43 @@ +From 1a7794d0e3c9fa47f7b0256518186ce214e93504 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik <lslebodn@redhat.com> +Date: Sat, 22 Mar 2014 15:09:34 +0100 +Subject: [PATCH 1/2] patch-src__man__pam_sss.8.xml + +--- + src/man/pam_sss.8.xml | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git src/man/pam_sss.8.xml src/man/pam_sss.8.xml +index 72b497ab34a520d21964824080c7f276b26706f4..5b4e456e2b0b7469a233d7bd98d296bec2d8e739 100644 +--- src/man/pam_sss.8.xml ++++ src/man/pam_sss.8.xml +@@ -37,6 +37,9 @@ + <arg choice='opt'> + <replaceable>retry=N</replaceable> + </arg> ++ <arg choice='opt'> ++ <replaceable>ignore_unknown_user</replaceable> ++ </arg> + </cmdsynopsis> + </refsynopsisdiv> + +@@ -103,6 +106,16 @@ + <option>PasswordAuthentication</option>.</para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term> ++ <option>ignore_unknown_user</option> ++ </term> ++ <listitem> ++ <para>If this option is specified and the user does not ++ exist, the PAM module will return PAM_IGNORE. This causes ++ the PAM framework to ignore this module.</para> ++ </listitem> ++ </varlistentry> + </variablelist> + </refsect1> + +-- +1.8.5.3 + Modified: head/security/sssd/files/patch-src__sss_client__pam_sss.c ============================================================================== --- head/security/sssd/files/patch-src__sss_client__pam_sss.c Wed May 7 14:11:35 2014 (r353156) +++ head/security/sssd/files/patch-src__sss_client__pam_sss.c Wed May 7 14:18:54 2014 (r353157) @@ -1,17 +1,25 @@ -From 86816db5982df0c1b0c5f5722e23111c62ff362e Mon Sep 17 00:00:00 2001 +From 68fcd5f830b6451de5fd9d697fa6602dc3ca9972 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lukas.slebodnik@intrak.sk> Date: Sat, 27 Jul 2013 15:02:31 +0200 -Subject: [PATCH 31/34] patch-src__sss_client__pam_sss.c +Subject: [PATCH 2/2] patch-src__sss_client__pam_sss.c --- - src/sss_client/pam_sss.c | 2 ++ - 1 file changed, 2 insertions(+) + src/sss_client/pam_sss.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c -index 3734c8f..7110d38 100644 +index 5fd276ccba15da1f689b1939a02288dda7a09d89..4cb976cf28eba5c14168a91eb23fe4101d2268f3 100644 --- src/sss_client/pam_sss.c +++ src/sss_client/pam_sss.c -@@ -125,10 +125,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err) +@@ -52,6 +52,7 @@ + #define FLAGS_USE_FIRST_PASS (1 << 0) + #define FLAGS_FORWARD_PASS (1 << 1) + #define FLAGS_USE_AUTHTOK (1 << 2) ++#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3) + + #define PWEXP_FLAG "pam_sss:password_expired_flag" + #define FD_DESTRUCTOR "pam_sss:fd_destructor" +@@ -125,10 +126,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err) static void close_fd(pam_handle_t *pamh, void *ptr, int err) { @@ -24,6 +32,37 @@ index 3734c8f..7110d38 100644 D(("Closing the fd")); sss_pam_close_fd(); +@@ -1292,6 +1295,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, + } + } else if (strcmp(*argv, "quiet") == 0) { + *quiet_mode = true; ++ } else if (strcmp(*argv, "ignore_unknown_user") == 0) { ++ *flags |= FLAGS_IGNORE_UNKNOWN_USER; + } else { + logger(pamh, LOG_WARNING, "unknown option: %s", *argv); + } +@@ -1429,6 +1434,9 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, + ret = get_pam_items(pamh, &pi); + if (ret != PAM_SUCCESS) { + D(("get items returned error: %s", pam_strerror(pamh,ret))); ++ if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) { ++ ret = PAM_IGNORE; ++ } + return ret; + } + +@@ -1467,6 +1475,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, + + pam_status = send_and_receive(pamh, &pi, task, quiet_mode); + ++ if (flags & FLAGS_IGNORE_UNKNOWN_USER ++ && pam_status == PAM_USER_UNKNOWN) { ++ pam_status = PAM_IGNORE; ++ } ++ + switch (task) { + case SSS_PAM_AUTHENTICATE: + /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during -- -1.8.0 +1.8.5.3 Modified: head/security/sssd/files/sssd.in ============================================================================== --- head/security/sssd/files/sssd.in Wed May 7 14:11:35 2014 (r353156) +++ head/security/sssd/files/sssd.in Wed May 7 14:18:54 2014 (r353157) @@ -17,16 +17,26 @@ . /etc/rc.subr -name="sssd" +name=sssd rcvar=sssd_enable +# read configuration and set defaults +load_rc_config "$name" + +: ${sssd_enable:=NO} +: ${sssd_conf="%%PREFIX%%/etc/sssd/ssd.conf"} +: ${sssd_flags="-f -D"} + command="%%PREFIX%%/sbin/$name" -sssd_flags="-f -D" pidfile="/var/run/$name.pid" -required_files="%%PREFIX%%/etc/$name/$name.conf" +required_files="${sssd_conf}" +start_precmd=sssd_prestart -# read configuration and set defaults -load_rc_config "$name" -: ${sssd_enable="NO"} +sssd_prestart() +{ + for i in db/sss db/sss_mc log/sssd run/sss/krb5.include.d run/sss/private run/sss; do + if [ ! -d var/${i} ]; then mkdir -p /var/${i}; fi + done +} run_rc_command "$1" _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed, with minor changes. Thanks!
I realize I'm late to the party, but the correct fix is to use "sufficient" instead of "required" in the PAM policy.