ports/186545: [PATCH] security/sssd: add ignore_unknown_user option to pam_sss
Pete Fritchman
petef at databits.net
Fri Feb 7 18:00:01 UTC 2014
>Number: 186545
>Category: ports
>Synopsis: [PATCH] security/sssd: add ignore_unknown_user option to pam_sss
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Feb 07 18:00:01 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Pete Fritchman
>Release: 10.0-RELEASE
>Organization:
>Environment:
FreeBSD zzz 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014 root at snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
When using pam_sss for HBAC (host-based access control), pam_sss must be marked as required in the account PAM facility ("sufficient" is not OK - if pam_sss denies access to a known user, we can't allow pam_unix.so to return success later and let the user log in). Much like pam_ldap, pam_sss needs to be able to return PAM_IGNORE in the case of an unknown user to satisfy the "required" PAM configuration.
>How-To-Repeat:
install security/sssd, configure & run sssd, add to sshd's pam config:
account required /usr/local/lib/pam_sss.so
and try to log in with a local user account.
>Fix:
diff attached.
This has also been submitted to the upstream maintainers: https://fedorahosted.org/sssd/ticket/2232
successful pam account configuration with this patch:
account required pam_nologin.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user
This enforces HBAC rules on users that pam_sss knows about, and allows local users (e.g. root) to log in.
Patch attached with submission follows:
--- files/patch-src__sss_client__pam_sss.c.orig 2014-02-07 12:39:44.000000000 -0500
+++ files/patch-src__sss_client__pam_sss.c 2014-02-07 12:39:57.000000000 -0500
@@ -1,17 +1,14 @@
-From 86816db5982df0c1b0c5f5722e23111c62ff362e Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lukas.slebodnik at intrak.sk>
-Date: Sat, 27 Jul 2013 15:02:31 +0200
-Subject: [PATCH 31/34] patch-src__sss_client__pam_sss.c
-
----
- src/sss_client/pam_sss.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c
-index 3734c8f..7110d38 100644
---- src/sss_client/pam_sss.c
-+++ src/sss_client/pam_sss.c
-@@ -125,10 +125,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err)
+--- src/sss_client/pam_sss.c.orig 2013-11-06 13:35:03.000000000 -0500
++++ src/sss_client/pam_sss.c 2014-02-07 12:38:51.000000000 -0500
+@@ -52,6 +52,7 @@
+ #define FLAGS_USE_FIRST_PASS (1 << 0)
+ #define FLAGS_FORWARD_PASS (1 << 1)
+ #define FLAGS_USE_AUTHTOK (1 << 2)
++#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
+
+ #define PWEXP_FLAG "pam_sss:password_expired_flag"
+ #define FD_DESTRUCTOR "pam_sss:fd_destructor"
+@@ -125,10 +126,12 @@
static void close_fd(pam_handle_t *pamh, void *ptr, int err)
{
@@ -24,6 +21,22 @@
D(("Closing the fd"));
sss_pam_close_fd();
---
-1.8.0
-
+@@ -1292,6 +1295,8 @@
+ }
+ } else if (strcmp(*argv, "quiet") == 0) {
+ *quiet_mode = true;
++ } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
++ *flags |= FLAGS_IGNORE_UNKNOWN_USER;
+ } else {
+ logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
+ }
+@@ -1429,6 +1434,9 @@
+ ret = get_pam_items(pamh, &pi);
+ if (ret != PAM_SUCCESS) {
+ D(("get items returned error: %s", pam_strerror(pamh,ret)));
++ if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
++ ret = PAM_IGNORE;
++ }
+ return ret;
+ }
+
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list