headers
Mike Wham | 30 Apr 2013 20:09
Picon

Differences in Conversation function between distributions?

Hello all,


I'm trying to determine why there seems to be a discrepancy between PAM on Ubuntu and PAM on CentOS and Archlinux.

For example, a script that works nicely on Ubuntu ("pam_python") throws errors on the other distributions, with errors like: "pam_conv() takes exactly 3 arguments (2 given)."  Why would this be?  Are there different versions of the conversation function present in each distribution? For the record, I think the latest Ubuntu uses PAM 1.1.3, whereas the others use 1.1.6.

Best,
Mike
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 0 comments |
headers
L.A.Walsh | 22 Apr 2013 21:55

Question about 'session' in pam w/rt pam_env.so


I was wondering how one is supposed to preserve env variables set when

one initially logs into a system (like the same time loginuuid is set). 
Specifically,
ENV vars 'DISPLAY' and 'REMOTEHOST'.  I use the 2nd to generate the first and
want it to last for the entire time I am logged in.

I have been setting it in pam_env, using a similar example.

Now I find that some see pam_env as a means to set the environment
*per session* -- meaning they call it again during the common-session phase,
in addition to the 'auth' phase.  This has the tendency to overwrite
those variables. 

I'm told that there's no way to prevent this as if the user
clears their env (e.g. 'env -i), and that means it has to be called at the
beginning of each session so it can reset env vars (this despite the fact,
that I know of no one using such functionality, whereas I had been using
it for 'auth' only on initial system entry.

I can see the need for a session-based pam_env to generate a new
user environment (though right now, in my distro, the ENV is set
via shell scripts on initial login).

however, if I leave my distro's defaults in place, my display and remote
host are overwriten when I do a "sudo su" -- to get a new shell as root.

Is there a way to protect those vars, as right now, even though I
specify the -m flag to 'su', it seems not to preserve my env when I
invoke it via sudo. 

So how I can limit pam_env's resetting to save and carry forward
item's like remotehost and DISPLAY -- OR -- should pam_env only
be called during 'auth' and env-init should be left to shell scripting
(or putenv)...

I'm aware of the comment that says the module should be an AUTH
module, but I've been told that was only the initial design and that
the manpage and other docs allow for using it to initialize sessions.

Ideas or suggestions on how to do this would be great.
Thanks!
LW
Permalink | Reply | 0 comments |
headers
Smith, Gina C. (MSFC-IS40)[NICS] | 22 Mar 2013 19:16
Picon
Favicon

changing password prompt

 

When sshing into a box that is set up to authenticate via radius using pam.  Is there a way to change the prompt from ‘password’ to ‘passcode’??

 

Thanks

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 3 comments |
headers
Seven Reeds | 19 Mar 2013 22:58
Picon

are there "session IDs"?

Hi,

I am running Ubuntu.

I am writing an executable that pam_exec will call in "session" mode.
It will respond to session open/close events.  It is almost completely
working.  This morning I was testing it using "su" and it was doing
what i expected.  I then started ssh-ing to the machine.  That's when
things became puzzling.

if I "su" while on the machine the PAM_TTY environment variable is
indeed a TTY string and is unique to the "session".  However, if I
treat "ssh" like "su" and try to ssh to a different user on the same
machine, ex:

        $ ssh otherUser <at> this.machine.com

then the PAM_TTY variable just shows "ssh".  If I were logged in
multiple times then all would appear to be on the same "line", so to
speak.

This does make sense I suppose.  The "su" continues to use the tty of
the caller.  The "ssh" will eventually have a new tty.  I am calling
my PAM_EXEC's program very late in the session stack so I assumed that
a tty would be available.

Since the tty is not available, is there a unique session identifier
that I can use?  I have not seen mention of one.

Seven
Permalink | Reply | 1 comment |
headers
Dylan Martin | 12 Mar 2013 20:21
Favicon

Re: pam modules and setuid actions

You have a cache file that you can open as root, but not using su or
sudo or your suid binary?  Is that right?  That's weird.  You're not
operating in a filesystem that's mounted nosuid, by any chance?

The only problem I can see with your approach is that suid is kindof
all-or-nothing.  If your binary does anything before it operates on
the cache file, it will also be root until you can well-and-truly drop
root privileges after dealing with the cache file.

An alternative might be to make your binary suid some-other-user.  So,
say the cache file belongs to a user named cacheface and only
cacheface can read or write to that file.  Your cache-editing binary
could be suid cacheface.

You can make a binary who's only job is interacting with the cache,
and have your main program call that suid binary.  (that's how a lot
of shadow password stuff works)

You could make a server that opens the cache (or keeps in in memory)
and you log to it instead of to the remote host.

You could use syslog with remote logging. (probably totally misses the point)

You could stop eating so much fatty food, call your mother from time
to time and share that recipe for cold fusion you've been hiding...
;-)

Yar!
-Dylan

On Tue, Mar 12, 2013 at 11:14 AM, Seven Reeds <seven.reeds <at> gmail.com> wrote:
> Hi,
>
> I am very close to finishing a pam module that will log specific user
> session activities to a database.  There could be situations though in
> which the primary, remote DB is unavailable so I want to create a
> local "cache" of loggable events.  Once remote DB access is regained I
> will upload the cache records and be very happy.  There is an issue
> though.
>
> I want the cache to live in protected space.  I would like to open the
> cache as "root" or some other dedicated user.  I do not want the
> general public to inspect or edit the cache.  I have just tried
> wrapping the cache "open" in setuid calls but that has not worked.  I
> am using "su" as my testing tool but even though the "su" executable
> is setuid by default the open section fails.
>
> Is there a general PAM related solution to this?
>
> thanks
> Seven
>
> _______________________________________________
> Pam-list mailing list
> Pam-list <at> redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 3 comments |
headers
Seven Reeds | 12 Mar 2013 19:14
Picon

pam modules and setuid actions

Hi,

I am very close to finishing a pam module that will log specific user
session activities to a database.  There could be situations though in
which the primary, remote DB is unavailable so I want to create a
local "cache" of loggable events.  Once remote DB access is regained I
will upload the cache records and be very happy.  There is an issue
though.

I want the cache to live in protected space.  I would like to open the
cache as "root" or some other dedicated user.  I do not want the
general public to inspect or edit the cache.  I have just tried
wrapping the cache "open" in setuid calls but that has not worked.  I
am using "su" as my testing tool but even though the "su" executable
is setuid by default the open section fails.

Is there a general PAM related solution to this?

thanks
Seven
Permalink | Reply | 0 comments |
headers
Simon McVittie | 24 Jan 2013 20:22
Picon

Using PAM in setuid processes

Hi,
I've recently been looking at the security properties of various setuid
executables, many of which use PAM for authentication.

What is PAM's policy on the extent to which modules may trust the
process' execution environment, particularly environment variables?

I can see three options for a consistent policy:

1) PAM is considered safe to use in a setuid process, even if the
   environment has not been "cleaned". Modules must not use libraries
   or execute helper programs that can be adversely affected by
   environment variables.

2) PAM is only considered safe to use in a setuid process if the
   environment has been "cleaned" against a whitelist. Modules may use
   any library, or execute any helper program; privileged processes
   that are run with a potentially-attacker-controlled environment
   must "clean" it before using PAM. If the process intends to use the
   original environment later, it can save a copy before cleaning it,
   and pass that copy to execle or similar.

3) There is some mechanism that can/should be used in modules to decide
   whether the process in which they are hosted is privileged or not.
   If it is, they must ensure that they ignore environment variables;
   if it is not, they may obey environment variables.

Which of these policies do the PAM maintainers consider it to have?

For some examples of setuid executables which behave defensively and
clear the environment (i.e. behaving as if the policy is (2), but also
OK for either of the others), see polkit's pkexec[1] and
polkit-agent-helper-1[2].

[1] http://cgit.freedesktop.org/polkit/tree/src/programs/pkexec.c
    (saves the old environment first, and may pass a filtered subset
    to the executed program)
[2]
http://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthelper-pam.c#n76
    (clears the environment altogether)

For examples of setuid executables which do not clear the environment
(i.e. assuming that the policy is (1)), see most su implementations.

Here are some examples of things modules in these processes can't be
allowed to do without special precautions if policy (1) is in effect:

* trust executables in $PATH
* trust $IFS not to be something that will confuse a shell script
* connect to $DBUS_SESSION_BUS_ADDRESS or $DBUS_SYSTEM_BUS_ADDRESS
  (either of which can contain a command to start a "tunnel")
* load code from $PERL5LIB, $PYTHONPATH, $PYTHONHOME etc.
* trust UTF-8 input in conjunction with PERLIO=:utf8
* trust that $TZDIR is non-malicious
* connect to $DISPLAY? (if the X11 protocol is such that connecting to a
  socket specified by an attacker can cause bad things to happen)
* (etc.)
* execute an external command that does any of those

sudo(1) has a long list of variables that are considered unsafe.

If PAM doesn't have a policy for this, I would personally advocate
policy (2), as recommended by
<http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/environment-variables.html>.
I do notice that this would break use of pam_xauth in setuid
executables, although it isn't clear to me whether that would make sense
anyway.

For the DBUS_* variables this was reported as CVE-2012-3524, and
mitigated in libdbus and GDBus by distrusting environment variables if
getuid() != geteuid() (so, a partial implementation of policy (3), but
perhaps not with the same mechanism to detect privilege that you'd choose).

I'm mainly interested in environment variables and setuid at the moment,
but similar considerations apply to other bits of process environment
that are inherited from a parent that can be less privileged (most
notably, current working directory), and to mechanisms for privilege
escalation other than setuid (setgid, Linux filesystem capabilities, etc.).

Opinions?

Regards,
    Simon
Permalink | Reply | 0 comments |
headers
Martin | 8 Jan 2013 18:16
Picon

Re: Can I set the user to authenticate as?

On Tue, 2013-01-08 at 12:00 -0500, pam-list-request <at> redhat.com wrote:
> On Fri, 4 Jan 2013 16:13:27 -0800
> Dylan Martin <dmartin <at> seattlecentral.edu> wrote:
> 
> > With pam's flow-through-the-stack nature, I thought there might be a
> > module that would change the user name for authentication purposes.
> 
> Theoretically this is possible. However some services do break under
> these conditions if the username changes. For example OpenSSH has a
> problem with this. The main exception is, if characters are turned
> upper- or lowercase.
> 
> Some time ago I did write a PAM module that indeed alters the
> username.
> You can find the source code here:
> https://github.com/datenwolf/pam_propperpwnam
> 
> >From the README:
> 
> |pam_propperpwnam
> |
> |A PAM module that uses the entered login name as key to
> |query the password database configured through nsswitch.conf
> |and replaces the login name with what has been returned.
> |
> |On the typical system this module performs an identity transform.
> |The main usage scenario are systems in networks where a user name
> |is used in several distinct authentication systems, some of them
> |being case sensitive and others not. For example the mail system
> |may do case insensitive username lookups, while the workstations
> |are case sensitive. In such environments users are often puzzeled
> |about a username working in one situation does not work in another.
> 
> There's a pam_python module, that allows you to write PAM modules with
> Python. This is great for experimentation, I suggest you experiment
> with this.
> 
> But keep in mind that some things will break if you alter the login
> name; technically those things are broken and should be fixed. Good
> luck with filing bugs.
> 

You may also have to create an NSS module that performs the same
translation / canonicalisation so that user information functions
(getpwnam et al.) work as expected.

Cheers,
 - Martin
Permalink | Reply | 1 comment |
headers
Dylan Martin | 5 Jan 2013 01:13

Can I set the user to authenticate as?

Hi all, thanks for reading.

I'm trying to set up authentication against a remote imap server that
I don't run.  I've got pam_imap working, so everything is fine as long
as the username on my box is the same as the username on imap server.
I'd like to somehow make it possible for someone to log in as a
different name than is submitted to the imap server.  The fact that
I'm using imap really shouldn't matter.

I run a web server for a community college.  We have an email server
run by the district.  I work at one of the campuses.  I have zero
control over the email server at district.  I want to authenticate
users on my web server with their imap accounts (because I hate
resetting passwords).  Unfortunately, most web server account names
are different from the imap account names.  For example 'english' or
'lab' might be reasonable account names on my web server but that web
account will be managed by a human with an email account (and IMAP
username) like 'jdoe'.

What I need is for someone to log in as 'lab' with a password and have
PAM ask the IMAP server to authenticate jdoe, and if that succeeds,
let them log in as 'lab'.
That means pam would somehow have to know to translate 'lab' into
'jdoe' for the conversation with the IMAP server and NOT then try to
log the user in as 'jdoe' on the web server if the IMAP authentication
succeeded.

With pam's flow-through-the-stack nature, I thought there might be a
module that would change the user name for authentication purposes.
Like this maybe:

auth required pam_localuser.so
auth required pam_map_user.so file=/etc/usermap
auth requisite pam_imap.so

I've actually done this before by hacking a module to both map a local
user to a remote username AND perform the authentication check.  It
seems odd to me that I'd need to combine those steps.

Is there a better way to handle this problem?

Thanks!
-Dylan
Permalink | Reply | 2 comments |
headers
mohanamurali.gurunathan | 8 Dec 2012 07:01

dlopen not able to open shared object file, even though it is existing

Hello pam-list members,

We had written a customized PAM authentication module (in C) named vauth.so to be used for sshd. We had
changed the sshd file in /etc/pam.d to include the following line

authenticate sufficient vauth.so

We were able to have ssh session using PuTTY successfully. vauth.so gets called and authentication gets completed.

After this, we wanted to use some java components for our authentication through vauth.so. So, we used some
JNI calls from the c code, and created vauth.so.

These were the commands used to create vauth.so (which is finally placed in /lib64/security)

gcc -fPIC -fno-stack-protector -I/usr/java/jdk1.7.0_07/include
-I/usr/java/jdk1.7.0_07/include/linux -c vauth.c -L/usr/java/jdk1.7.0_07/jre/lib/amd64/server

ld -x --shared -o /lib64/security/vauth.so vauth.o /usr/java/jdk1.7.0_07/jre/lib/amd64/server/libjvm.so

We had also copied "libjvm.so" to /lib64/security.

Now, when we do an authentication using PuTTY, we see the following error.

Dec  6 11:23:10 localhost sshd[8605]: PAM unable to dlopen(/lib64/security/vauth.so): libjvm.so:
cannot open shared object file: No such file or directory
Dec  6 11:23:10 localhost sshd[8605]: PAM adding faulty module: /lib64/security/vauth.so

We are not sure, why this problem occurs as libjvm.so in present in /lib64/security.

Following observation may be of some help:
We used an utility called PamTester to test pam modules - pamtester dot sourceforge dot net

results of  using pamtester as a non root user or not root user to test our pam module
With JNI (libjvm.so): If we run PamTester as a root user, we are able to authenticate. If we run PamTester as a
normal user, then we saw segmentation fault (again this should be due to some access related issues).
Without JNI (no libjvm.so): If we run PamTester as a root user or non root user, we were able to execute and see
the results.

Any help or guidance in resolving the issues will help.

With Thanks & Best Regards,
-Mohana Murali G
Permalink | Reply | 2 comments |
headers
Artur Artamonov | 6 Dec 2012 20:23
Favicon

shared library loading flags

Is there some specific explanations why modules is loaded with flags
RTLD_NOW?

pam_dynamic.c:67:       return dlopen(mod_path, RTLD_NOW);

There was issue when i was using myown PAM module that uses others
shared libraries. I was calling this module from dropbear and there
allways was some unresolved symbols from shared librarires after i added
flag RTLD_GLOBAL 

pam_dynamic.c:67:       return dlopen(mod_path, RTLD_NOW|RTLD_GLOBAL);

Is there possible that this flag will added in next LinuxPAM realise?
Permalink | Reply | 2 comments |

Gmane