On Mon, Apr 29, 2002 at 09:07:09PM +1000, Tim Johnston wrote: > I appreciate that there are security issues involved with this, but in my > situation it's necessary to do this to set up single-purpose workstations. > That is, terminals that when turned on, start up and run particular > programs, and logout when that program exits. There are endless practical > applications for this - information booths, data entry terminals, and so > on, where you want a machine to have a particular single function, and you > particularly care who operates it. I beilieve that this is important, vital > even, but clearly not many other people feel the same way, or there would > already be a solution available. If it has a hard drive, you can also set up workstations to do automatic network logins using, e.g., ssh keys. You can do this even if you don't have a local hard drive, though some of the security goes out the window when you're reading your ssh private key across NFS. :) > So, much as I was reluctant to do this, I've done something myself - > shamelessly cobbled together from various other modules. And guess what ? It > works ! It does what I want it to do. But I thought that I should bounce > this of this mailing list to see if persons more knowledgable than myself > can assist in improving this. I'm aware that the code is rough, in > particular, I was uncertain about how to finish and grant access. As I say, > what is here works, but maybe it can be improved. > The idea is : a configuration file, hard coded as /etc/autologin.conf as > follows: > machine1.test.net boris > ttyS1 natasha > There are two "fields" to the file. The first is either an IP or TTY, the > second entry is the user to be logged in as. > /etc/pam.d/login has as it's first line: > auth sufficient /lib/security/pam_autologin.so > pam_autologin checks that the config file exists, that it is owned by user > and group root, and has permissions of 0600. If so, if either the tty or the > IP matches the first field, the connecting terminal is logged in as the user > in the second field. If pam_autologin logs the user in, this is logged, if > not, control passes silently to the other modules in the /etc/pam.d/login > stack. Two concerns with the above. First, you don't have any distinguishing tags to differentiate hostnames from tty's. If I know you're using this module on a server, I can subvert your security by configuring my DNS to say I have a hostname of 'ttyS1'. Second, why are you insisting on permissions of 0600? This is against Debian policy regarding config files, for instance, and it really doesn't buy you much in the way of security: if I have enough access to the system that I can see /etc/autologin.conf is present, I can probably also watch the system and see what users are getting access from what hostnames/tty's: it wouldn't take an attacker long to gather enough information this way to be useful. > **** As shown, the config file uses DNS names, following the available item > "retval = pam_get_item (pamh, PAM_RHOST, (const void **)¤t);", but > really I would have preferred to use IPs, to avoid the extra step of name > lookups. Anyone know how to do this ? The DNS lookup has already been done for you by PAM, so not using it doesn't save you anything. However, see above regarding the dangers of DNS spoofing here. Regards, Steve Langasek postmodern programmer
Attachment:
pgp00047.pgp
Description: PGP signature
