LDAP, pam, filters & ssh keys - ssh bypasses filters with keys

Andre van Eyssen andre at purplecow.org
Mon Jan 4 07:28:39 UTC 2021


'ello all!

A little background: I'm attempting to bring FreeBSD into an LDAP 
authenticated fold, based on openldap with rfc2307bis -- pretty much the 
standard minimal LDAP story. One deviation from the base is providing 
sshPublicKey via the ldapPublicKey objectclass.

Following the handbook this wasn't difficult. Integration of ssh keys took 
a few minutes longer than other operating systems because there isn't a 
bundled helper, but a couple of lines of shell sorted that out and returns 
an ssh key for a user so sshd is happy.

The final step is to implement restriction of users by group, which the 
documentation points to as being implementable by either pam_groupdn or 
pam_filter. Given pam_groupdn only handles a single group, I chose 
pam_filter to restrict access to two groups:

pam_filter |(memberOf=cn=fbsd-dev,ou=groups,dc=removed,dc=org)(memberOf=cn=testcase2,ou=groups,dc=removed,dc=org)

This worked fine with password authentication -- for example, password on 
ssh login, password for sudo attempts, etc. However, presence of an ssh 
key seems to leave ssh ignoring the filter and granting access even if the 
user is not in the matching LDAP groups.

I'm open to the idea that I may well have goofed my pam configuration or 
similar, but I can't seem to find any relevant documentation or examples 
that show where I've got it wrong. I understand that there are other 
restriction mechanisms (netgroups would seem obvious) but even if there is 
a workaround, this would strike me as a potential lurking security issue 
that should at least be considered for adding to the 
documentation/handbook.

Thanks for your patience!


pam.d/sshd:
# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so  no_warn
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
account         required        pam_login_access.so
account         required        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user
account         required        pam_unix.so
# session
session         required        /usr/local/lib/pam_mkhomedir.so
session         required        pam_permit.so
# password
password        required        pam_unix.so             no_warn try_first_pass



-- 
Andre van Eyssen.                  Phone:     +61 417 211 788
mail:     andre at purplecow.org      http://andre.purplecow.org
About & Contact:          http://www.purplecow.org/andre.html


More information about the freebsd-questions mailing list