Re: A question about LDAP Public Key authentication with openssh 9.8p1

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 12/10/2024 13:19, Qingtao Cao wrote:
Since there is no nss-ldap (not to mention sssd), a separate PAM module has been used once the public key authentication is a success, to allocate an unused uid/gid for the remote user, also creating its home directory (which are all specified on the LDAP server but there is no nss-ldap to fetch these configuration) so that the remote-only user can login successfully.

How would the PAM module signal back to sshd which uid/gid has been selected to switch to?  Or are you thinking that sshd starts every session as root, and you're expecting the PAM session module itself to switch uid/gid?!


But will this bring about any unexpected vulnerability?

It sounds extremely insecure to me, if it were to work at all.

If you disagree, then I think you would need to lay out, in much more detail, exactly how you expect PAM to handle the uid/gid switching (in particular, what happens in each of the "auth", "account" and "session" calls)

In any case, even after a user has logged in, you still need to map uids<->usernames and gids<->groupnames - even for simple cases like running "id" or "ls -l" - both for the currently logged-in user and all other users.  I don't think you can avoid nss_ldap or sssd.  In which case, just deploy it and then you don't need to mess with sshd.

That's unless you want all these external remote users to login as the *same* uid - in which case, you can just create an entry for this shared account in /etc/passwd.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux