A
A
Alexey Lesovsky2013-03-29 08:22:16
linux
Alexey Lesovsky, 2013-03-29 08:22:16

ssh lets user in without checking password match

Hello! We need a person who understands PAM and LDAP. I'm learning OpenLDAP and the first practical task is to store users (their passwords and keys) in LDAP.
There are two options: through pam_ldap and pam_nss (old way) and through sssd (modern). Although my understanding of the issue may be erroneous ...
First I decided to configure it through pam_ldap and pam_nss. So
1. I installed openldap from the server side, came up with a directory scheme, made ldif uploaded it to ldap
2. Installed pam_ldap, pam_nss from the client side, openldap
started setting up and eventually configured it so that sshd allows a user with any password . Those. I enter the wrong password in advance, but it still lets me into the server.

Where did I make a mistake?

Available data
ldif schema, didn't cut anything out of structure

# extended LDIF
#
# LDAPv3
# base <dc=trew,dc=ru> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# trew.ru
dn : dc=trew,dc=ru
description: Snowboarding Trash-Ugar Band
objectClass: organization
objectClass: dcObject
dc: trew
o: Pixota, Inc.

# people, trew.ru
dn: ou=people,dc=trew,dc=ru
description: All people in organization
objectClass: organizationalUnit
ou: people

# accounts, people, trew.ru
dn: ou=accounts,ou=people,dc =trew,dc=en
description: All accounts in organization
objectClass: organizationalUnit
ou: accounts

# roles, people, trew.ru
dn: ou=roles,ou=people,dc=trew,dc=ru
description: All accounts in organization
objectClass: organizationalUnit
ou: accounts
ou: roles

# sudoers, people , trew.ru
dn: ou=sudoers,ou=people,dc=trew,dc=ru
description: All can perform sudo
objectClass: organizationalUnit
ou: accounts
ou: sudoers

# projects, trew.ru
dn: ou=projects,dc= trew,dc=ru
description: All projects in organization
objectClass: organizationalUnit
ou: projects

# superproj, projects, trew.ru
dn: ou=superproj,ou=projects,dc=trew,dc=ru
description: Super project
objectClass: organizationalUnit
ou: superproj

# servers, trew.ru
dn: ou=servers,dc=trew,dc=ru
description: All servers in organization
objectClass: organizationalUnit
ou: servers

# vpupkin, accounts, people, trew. ru
dn: uid=vpupkin,ou=accounts,ou=people,dc=trew,dc=ru
cn: Vasya Pupkin
givenName: Vasya
sn: Pupkin
uid: vpupkin
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/vpupkin
mail: vpupkin @local.dev
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: ldapPublicKey
objectClass: organizationalPerson
the objectClass: name person
the objectClass: posixAccount the
objectClass: shadowAccount
sshPublicKey: the ssh-rsa AAAA_tut_ya_vyrezal_dlinnyy_kusok_klyucha_a1T vpupkin = the
userPassword e1NTSEF9R0dEYTVEL3l5RitxanVidFMxc194dXJocVJxRTAKcG8 :: =

# search of result
search: 2
result: 0 Success

client pam.d / system-the auth the
auth required pam_env.so the
auth the sufficient the pam_ldap.so
auth sufficient pam_unix.so use_first_pass likeauth nullok
auth optional pam_permit.so

account sufficient pam_ldap.so
account required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_ldap.so use_authtok use_first_pass
password optional pam_deny.so

session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so umask=0077 skel=/etc/skel/

client side /etc/ldap.conf
suffix "dc=trew,dc=ru"
uri ldap://ldap.trew.ru
ldap_version 3
scope one
timelimit 2
bind_timelimit 2
bind_policy soft
nss_base_passwd ou=accounts,ou =people,dc=trew,dc=ru?sub
nss_base_shadow ou=accounts,ou=people,dc=trew,dc=ru?sub
nss_base_group ou=projects,dc=trew,dc=ru?sub
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password exop
nss_reconnect_tries 4 # number of times to double the sleep time
nss_reconnect_sleeptime 1 # initial sleep value
nss_reconnect_maxsleeptime 16 # max sleep value to cap at
nss_reconnect_maxconntries # how many tries before sleeping
nss_initgroups_ignoreusers ldap,openldap,mysql,syslog,root,postgres

These are the only files I've had to edit so far.

on request, I post a piece of the log when trying to log in
1) if you try to log in with an empty or correct password
sshd[25424]: Set /proc/self/oom_score_adj to 0
sshd[25424]: Connection from 10.101.14.50 port 32817
sshd[25424]: SSH: Server;Ltype: Version;Remote: 10.101.14.50-32817;Protocol: 2.0;Client: OpenSSH_6.1p1-hpn13v11
sshd[25424]: SSH : Server;Ltype: Kex;Remote: 10.101.14.50-32817;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth]
sshd[25424]: SSH: Server;Ltype: Authname;Remote: 10.101. 14.50-32817;Name: vpupkin [preauth]
sshd[25424]: [LDAP] 'vpupkin' is not in 'superprj'
sshd[25424]: [LDAP] 'vpupkin' is not in 'superprj'
sshd[25424]: Failed publickey for vpupkin from 10.101.14.50 port 32817 ssh2
sshd[25424]: Postponed keyboard-interactive for vpupkin from 10.101.14.50 port 32817 ssh2 [preauth]
sshd[25424]: Postponed keyboard-interactive/pam for vpupkin from 10.101.14.50
port
32817 25430 is

on pid _ _ to bind as user "uid=vpupkin,ou=accounts,ou=people,dc=trew,dc=ru" (Invalid credentials) sshd[25436]: Postponed keyboard-interactive/pam for vpupkin from 10.101.14.50 port 32962 ssh2 [ preauth]
sshd[25436]: Accepted keyboard-interactive/pam for vpupkin from 10.101.14.50 port 32962 ssh2

want to pay attention to [LDAP] 'vpupkin' is not in 'superprj'. At the moment, I have key verification configured, and given that vpupkin is not in the specified group, sshd kicks it off at first. But then, it launches on the server))

here is the log with pam debug
enabled gist.github.com/daevy/5269171

Answer the question

In order to leave comments, you need to log in

5 answer(s)
S
Slipeer, 2013-03-29
@lesovsky

There is a suspicion that authorization passes along the line:

auth optional pam_permit.so

(Unless, of course, you have separate rules defined for the sshd process in /etc/pam.d/sshd)
Try to add before this line:
auth requisite pam_deny.so
or
auth required pam_deny.so

PS Only for the duration of the experiment, keep a connected ssh session with root rights, so that if anything, return everything back.

A
Alexey Lesovsky, 2013-03-29
@lesovsky

>> Also, try changing the vpupkin password on the system using passwd.
[email protected] / $ passwd
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Insufficient access
passwd: password updated successfully

A
Alexey Lesovsky, 2013-03-29
@lesovsky

Thank you!
>> auth requisite pam_deny.so
>> or
>> auth required pam_deny.so
now allows only by password (the keys are broken, but I think I can fix it), if the password is wrong or empty, it offers to enter again or refuses.
Thank you!
can you tell me, in your opinion, a modern good book on PAM?
PS In parallel, I raised the authorization scheme through sssd, there is no such behavior with passwords)))

A
Alexey Lesovsky, 2013-03-29
@lesovsky

alas, the keys did not work with the above config.
the distribution kit Gentoo Linux
man is certainly good)))) (I also send everyone there) but is there something else?

A
Alexey Lesovsky, 2013-03-29
@lesovsky

Yes, I'll dig deeper and read man. In any case, Slipeer , thank you very much!

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question