LDAP, pam, filters & ssh keys - ssh bypasses filters with keys
Andre van Eyssen
andre at purplecow.org
Mon Jan 4 07:28:39 UTC 2021
'ello all!
A little background: I'm attempting to bring FreeBSD into an LDAP
authenticated fold, based on openldap with rfc2307bis -- pretty much the
standard minimal LDAP story. One deviation from the base is providing
sshPublicKey via the ldapPublicKey objectclass.
Following the handbook this wasn't difficult. Integration of ssh keys took
a few minutes longer than other operating systems because there isn't a
bundled helper, but a couple of lines of shell sorted that out and returns
an ssh key for a user so sshd is happy.
The final step is to implement restriction of users by group, which the
documentation points to as being implementable by either pam_groupdn or
pam_filter. Given pam_groupdn only handles a single group, I chose
pam_filter to restrict access to two groups:
pam_filter |(memberOf=cn=fbsd-dev,ou=groups,dc=removed,dc=org)(memberOf=cn=testcase2,ou=groups,dc=removed,dc=org)
This worked fine with password authentication -- for example, password on
ssh login, password for sudo attempts, etc. However, presence of an ssh
key seems to leave ssh ignoring the filter and granting access even if the
user is not in the matching LDAP groups.
I'm open to the idea that I may well have goofed my pam configuration or
similar, but I can't seem to find any relevant documentation or examples
that show where I've got it wrong. I understand that there are other
restriction mechanisms (netgroups would seem obvious) but even if there is
a workaround, this would strike me as a potential lurking security issue
that should at least be considered for adding to the
documentation/handbook.
Thanks for your patience!
pam.d/sshd:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
# session
session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
# password
password required pam_unix.so no_warn try_first_pass
--
Andre van Eyssen. Phone: +61 417 211 788
mail: andre at purplecow.org http://andre.purplecow.org
About & Contact: http://www.purplecow.org/andre.html
More information about the freebsd-questions
mailing list