sshd and pam_winbind (Samba)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello openssh developers,

long time no see :-)

there is a bug in sshd with *nix machines joined to Active Directory using 
Samba's winbind daemon.

The problem is that with cold caches, a user logging in via ssh gets possibly 
the wrong primary gid assigned. Let me try to explain in detail:

In Active Directory (AD) you only get a correct access token (group 
memberships of a user) during authentication. Only a Domain Controller (DC) is 
able to calculate the access token as it as the required permission to collect 
the information in the forest.

When Samba authenticates a user using winbindd. We either authenticate the 
user using Kerberos or NTLM. We get the access token sent back upon successful 
authentication and store it in a cache. All system calls like getent are 
answered looking up the information from that cache.

On a new connection the openssh server checks if the connecting username 
exists using getpwnam() it then stores the 'struct passwd' in the session 
structure.

If the gets authenticated using PAM through pam_winbind we authencticate the 
user against our DC, get correct access token and cache it. However the 
openssh server doesn't update the passwd structure after a successful PAM 
authentication, it sets up the user context (setuid, setgid, initgroups) using 
the outdated information stored in the session structure.

The openssh server should update the passwd structure using getpwuid() before 
it sets up the users context (setuid, setgid, initgroups)!

This is probably easy to fix, the question is when you want to call getpwuid() 
directly after a successful PAM conversation or before dropping privileges?


Best regards,


	Andreas



-- 
Andreas Schneider                 asn@xxxxxxxxxxxxxx
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux