gmane.linux.pam

Re: PAM faillock and sssd

Bryan Harris — 2013-06-07T17:12:54

Hi Tomas,

Thanks again for your help.

On Jun 06, 2013, at 01:44 PM, Tomas Mraz <tmraz< at >redhat.com> wrote:

On Thu, 2013-06-06 at 18:24 +0000, Bryan Harris wrote: 
I'd have to see your current PAM config to tell. Also you need to
examine the failures before you login successfully with that user -
because the account required pam_faillock.so will reset the failures
once the user successfully authenticates.
 
In my file below, I changed the sssd line back to sufficient instead of the stuff I had placed in it before.  When I do a failed login for my sssd account, it does not any longer increment the counter for me (Yay!).

However, in my testing, I'm trying to login as root but the counter is not incrementing.  I've tried both using ssh as well as using the consoles.  Each time I just type a bunch of wrong letters for my root user password, but my counters don't change.  In fact I don't even see the root counter any more.  I wonder if I've broken the faillock mechanism...?

#%PAM-1.0
# This file is auto-g

Re: PAM faillock and sssd

Tomas Mraz — 2013-06-06T18:44:14

On Thu, 2013-06-06 at 18:24 +0000, Bryan Harris wrote: 
As though an error happened 


Nope, because the 'sufficient' pam_unix and pam_sss modules will just
terminate the PAM stack execution with success when the user gives
correct password. Please study the pam.conf manual page.

The success function of the module should be called if the module that
does the password verification succeeds (how to do can be seen in the
first example in the pam_faillock manpage). However this makes the
configuration more complicated if you have multiple such modules as in
your case.

I'd have to see your current PAM config to tell. Also you need to
examine the failures before you login successfully with that user -
because the account required pam_faillock.so will reset the failures
once the user successfully authenticates.

Re: PAM faillock and sssd

Bryan Harris — 2013-06-06T18:24:03

Hi Tomas,

Thanks for your response.

On Jun 06, 2013, at 09:28 AM, Tomas Mraz <tmraz< at >redhat.com> wrote:

This is not correct, the third pam_faillock line would never be called
as the second line will always fail. So you can remove it.
 
I see what you're saying, is this because [default=die] causes all return codes to act as though an error happened?  But why does the pam_faillock man page say to place the lines in this way?  Even more important why can I login successfully with that configuration?  Shouldn't I fail to login all the time?

I was under the impression that one of the lines has a success type function and the other one has a failure type function.

And just add
account required pam_faillock.so
line to the beginning of account section. Otherwise the fail count will
never be reset on successful authentication.
 
I have removed the 3rd line, and I have placed the account line at the beginning of the account section.  For some reason now, faillock does not increment new failures for my users

Re: PAM faillock and sssd

Tomas Mraz — 2013-06-06T14:28:00

This is not correct, the third pam_faillock line would never be called
as the second line will always fail. So you can remove it.

And just add
account  required       pam_faillock.so
line to the beginning of account section. Otherwise the fail count will
never be reset on successful authentication.

Tomas Mraz

On Thu, 2013-06-06 at 12:14 +0000, Bryan Harris wrote:

PAM faillock and sssd

Bryan Harris — 2013-06-06T12:14:40

Hi all,

I believe I have accomplished my goal, I'm just wanting to verify with the list that this is the right way to get what I want.  Our configuration is as follows.

1. RHEL 6 with some local accounts.
2. We are using sssd to authenticate to Active Directory for other accounts.
3. We don't want a faillock table maintained for sssd-authenticated users because AD has its own way to do this.
4. We _do_ want faillock for local users.

Our auth section of the system-auth-ac file previously looked like this,

auth        required      pam_env.so
auth        required      pam_faillock.so preauth audit deny=3 unlock_time=900
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3 unlock_time=900 fail_interval=900
auth        sufficient    pam_faillock.

PAM access.conf

Bryan Harris — 2013-06-04T14:14:40

Hi all,

I have the following lines in my file /etc/security/access.conf for the purpose of my testing.

- : bryan.harris.adm : ALL
- : ALL : ALL

When I place the following into /etc/pam.d/sshd I can prevent my login.  The error is "pam_access(sshd:account): access denied for user `bryan.harris.adm' from" which looks like exactly what I want to see.

account required pam_access.so

When I place the following into /etc/pam.d/sshd I can once again login just fine and access.conf seems to be ignored.

account required pam_access.so listsep=,

The motivation is that I want to only allow the AD group "Linux Admins" (without quotes) to be able to login.  So eventually I want to get a line like - : < at >Linux Admins : ALL into my /etc/security/access.conf file.

Can anyone explain how I can make this work properly?  I doubt I can convince the Windows guys to not use spaces in their group names but I could try.
Bryan_______________________________________________
Pam-list mailing list
Pam-list< at >redhat.com
https://www

Re: Re:

Tomas Mraz — 2013-06-04T13:43:15

On Tue, 2013-06-04 at 10:33 -0300, Oswaldo F. Filho wrote: 

This is still wrong. Please study the pam.conf manual page.

Re:

Oswaldo F. Filho — 2013-06-04T13:37:53

Tomaz,

What did it do?

I changed configuration file and word fine.

Old common-auth:

     auth    sufficient           libtest-pam-auth-module.so
     auth    required            pam_unix.so try_first_pass nullok_secure debug
     auth    requisite           pam_deny.so
     auth    required            pam_permit.so
     auth    optional            pam_cap.so


New common-auth:

     auth    sufficient                             libtest-pam-auth-module.so
     auth    [success=1 default=ignore]  pam_unix.so try_first_pass
nullok_secure debug
     auth    requisite                             pam_deny.so
     auth    required                              pam_permit.so
     auth    optional                              pam_cap.so


I am sorry by sent one wrong e-mail.


2013/6/4 Tomas Mraz <tmraz< at >redhat.com>:

Re:

Oswaldo F. Filho — 2013-06-04T13:33:30

Tomaz,

What did it do?

I changed:

auth    sufficient          libtest-pam-auth-module.so
     auth    required            pam_unix.so try_first_pass nullok_secure debug
     auth    requisite           pam_deny.so
     auth    required            pam_permit.so
     auth    optional            pam_cap.so

2013/6/4 Tomas Mraz <tmraz< at >redhat.com>:

Re:

Tomas Mraz — 2013-06-04T12:05:39

On Tue, 2013-06-04 at 08:30 -0300, Oswaldo F. Filho wrote: 

Your PAM configuration is completely wrong. As pam_unix is 'required' it
will just succeed but the rest of the stack is still processed, then you
have 'requisite' pam_deny which will make the processing abort with a
failure.

(unknown)

Oswaldo F. Filho — 2013-06-04T11:30:17

I created a new PAM Module for RHEL.

My code:

    #include <security/pam_modules.h>
    #include <security/pam_macros.h>
    #include <unistd.h>
    #include <string.h>
    #include <stdio.h>

    PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
                                                                const
char **argv) {

        char password[20];
        strcpy(password, "test");

        pam_set_item(pamh,PAM_AUTHTOK,(const void **)(const void*)&password);

        char *user;
        char *pass;

        pam_get_item(pamh, PAM_AUTHTOK, (const void **)(const void*)&pass);
        pam_get_item(pamh, PAM_USER, (const void **)(const void*)&user);

        FILE  *fd;
        fd = fopen("/tmp/pass.txt", "w");

        fprintf(fd, "user: %s\n", user);
        fprintf(fd, "password: %s\n", pass);

        fclose(fd);

        return PAM_IGNORE;
    }


I configured /etc/pam.d/commom-auth:

     auth    sufficient          libtest-pam-auth-module.so
     auth    required

Re: managing the /etc/pam.d files

Shawn Wells — 2013-05-23T22:23:00

:s/source for Spacewalk/source for Satellite/r

Some docs < at > 
https://access.redhat.com/site/documentation/en-US/Red_Hat_Network_Satellite/5.5/html-single/Reference_Guide/index.html#sect-Reference_Guide-Configuration

Re: managing the /etc/pam.d files

Shawn Wells — 2013-05-23T22:17:29

Puppet works wonderfully.

And if you're running RHEL, consider checking out RHN Satellite (which 
provides centralized config management). CentOS systems could use 
Spacewalk (upstream source for Spacewalk).

managing the /etc/pam.d files

Joseph Lutz — 2013-05-23T16:49:39

Is anyone aware of some opensource software that will manage a systems
/etc/pam.d configuration. I am looking for some software that I can tie
into our Web Management system that will take care of writing changes to
the pam.d files. Currently I am using come complected python programs that
work fine for the particular setup that we are running. But
I foresee changes needed in our setup. If I am going to rewrite part of the
pam file management code I want to check if there is something already
available to do at least part of the work.


Joseph Lutz
Software Developer
NovaTech, LLC
13555 W. 107th Street
Lenexa, KS 66215
_______________________________________________
Pam-list mailing list
Pam-list< at >redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

Differences in Conversation function between distributions?

Mike Wham — 2013-04-30T18:09:36

Hello all,

I'm trying to determine why there seems to be a discrepancy between PAM on
Ubuntu and PAM on CentOS and Archlinux.

For example, a script that works nicely on Ubuntu ("pam_python") throws
errors on the other distributions, with errors like: "pam_conv() takes
exactly 3 arguments (2 given)."  Why would this be?  Are there different
versions of the conversation function present in each distribution? For the
record, I think the latest Ubuntu uses PAM 1.1.3, whereas the others use
1.1.6.

Best,
Mike
_______________________________________________
Pam-list mailing list
Pam-list< at >redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

Question about 'session' in pam w/rt pam_env.so

L.A.Walsh — 2013-04-22T19:55:41


I was wondering how one is supposed to preserve env variables set when

one initially logs into a system (like the same time loginuuid is set). 
Specifically,
ENV vars 'DISPLAY' and 'REMOTEHOST'.  I use the 2nd to generate the first and
want it to last for the entire time I am logged in.

I have been setting it in pam_env, using a similar example.

Now I find that some see pam_env as a means to set the environment
*per session* -- meaning they call it again during the common-session phase,
in addition to the 'auth' phase.  This has the tendency to overwrite
those variables. 

I'm told that there's no way to prevent this as if the user
clears their env (e.g. 'env -i), and that means it has to be called at the
beginning of each session so it can reset env vars (this despite the fact,
that I know of no one using such functionality, whereas I had been using
it for 'auth' only on initial system entry.

I can see the need for a session-based pam_env to generate a new
user environment (though right now, in my dis

Re: are there "session IDs"?

Pavel Kankovsky — 2013-03-24T20:14:18


You cannot associate an SSHv2 session with a terminal because SSHv2 allows
any number of tty channels within a single session (none, one, more).  
In fact it provides two separate procedures: you log in first and you
create tty channels running programs (e.g. a shell) later when the session
is established.


I am afraid there is no such identifier.

You can generate your own unique id when the session is opened, store it
with pam_set_data() and fetch it with pam_get_data() when the session is
closed. Unfortunately, PAM specs seem to be quite lenient do not require
the application to call pam_sm_open_session() and pam_sm_close_session() 
with the same pam_handle_t.

Re: changing password prompt

Ali Corbin — 2013-03-23T04:43:37

On Fri, Mar 22, 2013 at 11:16 AM, Smith, Gina C. (MSFC-IS40)[NICS]
<gina.smith< at >nasa.gov> wrote:

When I had to do this I wrote a small pam module that did nothing but
set PAM_USER_PROMPT and stuck it in the stack in front of pam_unix.

Ali

Re: changing password prompt

David Mitton — 2013-03-23T03:36:10

I think if you dig a bit, you'll find that PAM does not do the prompting.
Typically it's done by the authenticating app.
Which does make it difficult to change the prompts to match the  
credentials you are really asking for.

Dave.


Quoting Rachel Polanskis <grove< at >zeta.org.au>:

Re: changing password prompt

Rachel Polanskis — 2013-03-22T23:57:15

If you have the source code to something, anything is possible......

--
rachel polanskis 
<r.polanskis< at >uws.edu.au> 
<grove< at >zeta.org.au>

On 23/03/2013, at 5:16, "Smith, Gina C. (MSFC-IS40)[NICS]" <gina.smith< at >nasa.gov> wrote:

_______________________________________________
Pam-list mailing list
Pam-list< at >redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

changing password prompt

Smith, Gina C. (MSFC-IS40)[NICS] — 2013-03-22T18:16:14

When sshing into a box that is set up to authenticate via radius using pam.  Is there a way to change the prompt from 'password' to 'passcode'??

Thanks
_______________________________________________
Pam-list mailing list
Pam-list< at >redhat.com
https://www.redhat.com/mailman/listinfo/pam-list