Date: Mon, 04 Jan 2021 18:28:25 +1100 (AEDT) From: Andre van Eyssen <andre@purplecow.org> To: freebsd-questions@freebsd.org Subject: LDAP, pam, filters & ssh keys - ssh bypasses filters with keys Message-ID: <alpine.GSO.2.21.2101041806350.24389@castillo.mexico.purplecow.org>
next in thread | raw e-mail | index | archive | help
'ello all! A little background: I'm attempting to bring FreeBSD into an LDAP authenticated fold, based on openldap with rfc2307bis -- pretty much the standard minimal LDAP story. One deviation from the base is providing sshPublicKey via the ldapPublicKey objectclass. Following the handbook this wasn't difficult. Integration of ssh keys took a few minutes longer than other operating systems because there isn't a bundled helper, but a couple of lines of shell sorted that out and returns an ssh key for a user so sshd is happy. The final step is to implement restriction of users by group, which the documentation points to as being implementable by either pam_groupdn or pam_filter. Given pam_groupdn only handles a single group, I chose pam_filter to restrict access to two groups: pam_filter |(memberOf=cn=fbsd-dev,ou=groups,dc=removed,dc=org)(memberOf=cn=testcase2,ou=groups,dc=removed,dc=org) This worked fine with password authentication -- for example, password on ssh login, password for sudo attempts, etc. However, presence of an ssh key seems to leave ssh ignoring the filter and granting access even if the user is not in the matching LDAP groups. I'm open to the idea that I may well have goofed my pam configuration or similar, but I can't seem to find any relevant documentation or examples that show where I've got it wrong. I understand that there are other restriction mechanisms (netgroups would seem obvious) but even if there is a workaround, this would strike me as a potential lurking security issue that should at least be considered for adding to the documentation/handbook. Thanks for your patience! pam.d/sshd: # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so account required pam_login_access.so account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so # session session required /usr/local/lib/pam_mkhomedir.so session required pam_permit.so # password password required pam_unix.so no_warn try_first_pass -- Andre van Eyssen. Phone: +61 417 211 788 mail: andre@purplecow.org http://andre.purplecow.org About & Contact: http://www.purplecow.org/andre.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.2.21.2101041806350.24389>