On Tuesday, February 12, 2019 12:06:06 AM CET Damien Miller wrote:
> On Mon, 11 Feb 2019, Andreas Schneider wrote:
> > Hello openssh developers,
> >
> > long time no see :-)
> >
> > there is a bug in sshd with *nix machines joined to Active Directory using
> > Samba's winbind daemon.
> >
> > The problem is that with cold caches, a user logging in via ssh gets
> > possibly the wrong primary gid assigned. Let me try to explain in detail:
> >
> > In Active Directory (AD) you only get a correct access token (group
> > memberships of a user) during authentication. Only a Domain Controller
> > (DC) is able to calculate the access token as it as the required
> > permission to collect the information in the forest.
> >
> > When Samba authenticates a user using winbindd. We either authenticate the
> > user using Kerberos or NTLM. We get the access token sent back upon
> > successful authentication and store it in a cache. All system calls like
> > getent are answered looking up the information from that cache.
> >
> > On a new connection the openssh server checks if the connecting username
> > exists using getpwnam() it then stores the 'struct passwd' in the session
> > structure.
> >
> > If the gets authenticated using PAM through pam_winbind we authencticate
> > the user against our DC, get correct access token and cache it. However
> > the openssh server doesn't update the passwd structure after a successful
> > PAM authentication, it sets up the user context (setuid, setgid,
> > initgroups) using the outdated information stored in the session
> > structure.
> >
> > The openssh server should update the passwd structure using getpwuid()
> > before it sets up the users context (setuid, setgid, initgroups)!
> >
> > This is probably easy to fix, the question is when you want to call
> > getpwuid() directly after a successful PAM conversation or before
> > dropping privileges?
> I don't want to support struct passwd fiddling via PAM - it makes the
> server considerably more difficult to reason about. I'm pretty sure
> the other developers feel the same way.
I don't really see why a getpwuid() would make it more complex. As it seems
not clear what I mean, see attached patch.
> IMO a nis/nsswitch module is the right way to implement this sort of
> functionality.
We have a nss_winbind modules and it will provide correct user information
after the user has been successfully authenticated. For that you need to read
the user information after successful login.
I hope the patch makes it clear.
Best regards,
Andreas
--
Andreas Schneider asn@xxxxxxxxxxxxxx
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
>From 097b7744ea81cc1ed285e9bf25ecbc5236cda35b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@xxxxxxxxxxxxxx>
Date: Tue, 12 Feb 2019 09:43:55 +0100
Subject: [PATCH] session: Update the passwd structure after successful login
In environments which only get a valid access token after successful
login, we need to make sure to get the latest group memberships
information.
Signed-off-by: Andreas Schneider <asn@xxxxxxxxxxxxxx>
---
session.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/session.c b/session.c
index 96167548..28e41cb2 100644
--- a/session.c
+++ b/session.c
@@ -1512,7 +1512,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
extern char **environ;
char **env, *argv[ARGV_MAX], remote_id[512];
const char *shell, *shell0;
- struct passwd *pw = s->pw;
+ struct passwd *pw = NULL;
int r = 0;
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
@@ -1521,6 +1521,15 @@ do_child(struct ssh *ssh, Session *s, const char *command)
destroy_sensitive_data();
ssh_packet_clear_keys(ssh);
+ /* Update the users passwd structure after successful login */
+ pw = getpwuid(s->pw->pw_uid);
+ if (pw != NULL) {
+ free(s->pw);
+ s->pw = pw;
+ } else {
+ pw = s->pw;
+ }
+
/* Force a password change */
if (s->authctxt->force_pwchange) {
do_setusercontext(pw);
--
2.20.1
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev