Re: sshd and pam_winbind (Samba)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tuesday, February 12, 2019 12:06:06 AM CET Damien Miller wrote:
> On Mon, 11 Feb 2019, Andreas Schneider wrote:
> > Hello openssh developers,
> > 
> > long time no see :-)
> > 
> > there is a bug in sshd with *nix machines joined to Active Directory using
> > Samba's winbind daemon.
> > 
> > The problem is that with cold caches, a user logging in via ssh gets
> > possibly the wrong primary gid assigned. Let me try to explain in detail:
> > 
> > In Active Directory (AD) you only get a correct access token (group
> > memberships of a user) during authentication. Only a Domain Controller
> > (DC) is able to calculate the access token as it as the required
> > permission to collect the information in the forest.
> > 
> > When Samba authenticates a user using winbindd. We either authenticate the
> > user using Kerberos or NTLM. We get the access token sent back upon
> > successful authentication and store it in a cache. All system calls like
> > getent are answered looking up the information from that cache.
> > 
> > On a new connection the openssh server checks if the connecting username
> > exists using getpwnam() it then stores the 'struct passwd' in the session
> > structure.
> > 
> > If the gets authenticated using PAM through pam_winbind we authencticate
> > the user against our DC, get correct access token and cache it. However
> > the openssh server doesn't update the passwd structure after a successful
> > PAM authentication, it sets up the user context (setuid, setgid,
> > initgroups) using the outdated information stored in the session
> > structure.
> > 
> > The openssh server should update the passwd structure using getpwuid()
> > before it sets up the users context (setuid, setgid, initgroups)!
> > 
> > This is probably easy to fix, the question is when you want to call
> > getpwuid() directly after a successful PAM conversation or before
> > dropping privileges?
> I don't want to support struct passwd fiddling via PAM - it makes the
> server considerably more difficult to reason about. I'm pretty sure
> the other developers feel the same way.

I don't really see why a getpwuid() would make it more complex. As it seems 
not clear what I mean, see attached patch.
 
> IMO a nis/nsswitch module is the right way to implement this sort of
> functionality.

We have a nss_winbind modules and it will provide correct user information 
after the user has been successfully authenticated. For that you need to read 
the user information after successful login.

I hope the patch makes it clear.


Best regards,


	Andreas

-- 
Andreas Schneider                 asn@xxxxxxxxxxxxxx
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
>From 097b7744ea81cc1ed285e9bf25ecbc5236cda35b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@xxxxxxxxxxxxxx>
Date: Tue, 12 Feb 2019 09:43:55 +0100
Subject: [PATCH] session: Update the passwd structure after successful login

In environments which only get a valid access token after successful
login, we need to make sure to get the latest group memberships
information.

Signed-off-by: Andreas Schneider <asn@xxxxxxxxxxxxxx>
---
 session.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/session.c b/session.c
index 96167548..28e41cb2 100644
--- a/session.c
+++ b/session.c
@@ -1512,7 +1512,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 	extern char **environ;
 	char **env, *argv[ARGV_MAX], remote_id[512];
 	const char *shell, *shell0;
-	struct passwd *pw = s->pw;
+	struct passwd *pw = NULL;
 	int r = 0;
 
 	sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
@@ -1521,6 +1521,15 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 	destroy_sensitive_data();
 	ssh_packet_clear_keys(ssh);
 
+	/* Update the users passwd structure after successful login */
+	pw = getpwuid(s->pw->pw_uid);
+	if (pw != NULL) {
+		free(s->pw);
+		s->pw = pw;
+	} else {
+		pw = s->pw;
+	}
+
 	/* Force a password change */
 	if (s->authctxt->force_pwchange) {
 		do_setusercontext(pw);
-- 
2.20.1

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux