From nobody Sun Apr 17 11:21:49 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 126CF5D4534 for ; Sun, 17 Apr 2022 11:22:01 +0000 (UTC) (envelope-from contact@evilham.com) Received: from yggdrasil.evilham.com (yggdrasil.evilham.com [46.19.33.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Kh7200nVMz4sk5 for ; Sun, 17 Apr 2022 11:22:00 +0000 (UTC) (envelope-from contact@evilham.com) From: Evilham DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=evilham.com; s=mail; t=1650194512; bh=qOAX2ZnnlhbPPLHILJZc49GWhmuELMN077xL1gyEPpc=; h=From:To:Cc:Subject:References:In-reply-to:Date; b=peHyMt/APCSA1SOnsJDT4M4nnKvWGGBM749uedrpFM01YuPcDeO4eTMEyVg9eG3y/ zQhjqQy0iWfnKKoR0yqqOCP6S6ivLyBYBPdoz1heqZvgXrL0sGpedHLzNtwNLjvSKQ W2LV3RDHsLRYW9dCyBDbhA1UxFyxHge6a2m5Yyts= To: FreeBSD User Cc: freebsd-current@freebsd.org Subject: Re: PAM: SSH: reject login when homdir does not exist? References: <20220417130437.740721de@hermann> In-reply-to: <20220417130437.740721de@hermann> Date: Sun, 17 Apr 2022 13:21:49 +0200 Message-ID: List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Rspamd-Queue-Id: 4Kh7200nVMz4sk5 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=evilham.com header.s=mail header.b="peHyMt/A"; dmarc=pass (policy=quarantine) header.from=evilham.com; spf=pass (mx1.freebsd.org: domain of contact@evilham.com designates 46.19.33.155 as permitted sender) smtp.mailfrom=contact@evilham.com X-Spamd-Result: default: False [-0.90 / 15.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[evilham.com:s=mail]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[evilham.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[evilham.com,quarantine]; NEURAL_HAM_SHORT(-0.90)[-0.901]; MLMMJ_DEST(0.00)[freebsd-current]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:196752, ipnet:46.19.32.0/21, country:NL] X-ThisMailContainsUnwantedMimeParts: N On dg., abr. 17 2022, FreeBSD User wrote: > Hello fellows, happy Easter! > > I run into a security issue this morning here and tried to look > for a solution. We use > OpenLDAP for all "regular users" login on hosts and web > services. Authentication is > required from some cloud/moodle services via LDAP, but some > users not having any > homedirectory on any machine within the domain will still be > allowed to login, even if > the home dir is not present. They get loged in onto the root of > the filesystem, when > login via SSH. > > Is there a way to prohibit login if homedir isn't present? Can > you point me to the right > place (PAM or something, pam_env isn't available on FreeBSD)? > > If this is a trivial issue and caused by lack of my personell > knowledge, please excuse. > > Kind regards, Hey, even if you manage to do that, you probably shouldn't address your problem this way: existence of a directory is a rather weak assertion to make when deciding whether or not someone should be able to get a shell. Take a look at AllowGroups and AllowUsers in man 5 sshd_config, that should fit your use-case much better. Other than that, you probably want to change their shell and stuff like that. Do check: https://docs.freebsd.org/en/books/handbook/security/#security-intro And adapt to your LDAP setup. Also, mid-term this M.W. Lucas' Absolute FreeBSD is a really good place to learn things: https://mwl.io/nonfiction/os#af3e PS: This mailing list is for things related to FreeBSD-CURRENT; it seems like this question might be a better fit for freebsd-questions@, since it is related to systems in general. Cheers, -- Evilham