[389-users] Preventing ssh keys from granting a user access when LDAP account is disabled.
Daniel Maher
dma+389users at witbe.net
Wed Jul 21 09:32:18 UTC 2010
On 07/20/2010 08:32 PM, Gerrard Geldenhuis wrote:
>> On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote:
>>> Hi There is a bugzilla raised concerns users still being able to
>>> login if they have ssh keys even if there ldap account is disabled.
>>
>> Define "disabled". If your only flag is the userpassword field, you
>> won't find a good solution to this problem, since that field will never
>> be used by an ssh session using keys.
>
> Good point... I define disabled as setting the user as disabled in in the console or the user having typed his password wrong to many times and then getting locked out.
>
> I still don't understand pam as well as I should but it would make sense to me for PAM to "check" LDAP before checking ssh... It does so when you don't have ssh keys and would deny a user if he/she is disabled. Maybe I should change a password sufficient to password required. I guess I need to play around a bit more.
>
>>
>> I believe you can use pam_access(5) to grant login access only to
>> members of a group in your directory, and remove users from that group
>> when you disable their login access.
>
> That was my plan but it is not perfect...
In a stunning coincidence, i was looking at this problem just this
morning. :)
In my environment not all of the accounts that should be able to log in
are in LDAP (some are local to the systems), so while i configured PAM
to check LDAP before any local mechanism, i couldn't just lock out a
failed LDAP check either. Since a "disabled" user in LDAP could still
technically authenticate locally (i.e. against a keyfile), i was running
into exactly the same problem you mentioned originally.
The LDAP groups here share a 1:1 relationship with Posix groups, which
lends itself well to using PAM to control SSH logins based on group
membership criteria. With this in mind, i configured PAM to use the
"listfile" mechanism, wherein the contents of a simple text file can be
compared against a given criteria during the authentication process.
In a nutshell, i put the allowed groups - one per line - in
/etc/ssh_login_groups, and then put this line at the top of my
/etc/pam.d/sshd :
auth requisite pam_listfile.so onerr=fail item=group sense=allow
file=/etc/ssh_login_groups
I then created an LDAP group called "disabled", and now instead of
deactivating users in the traditional sense, i simply revoke their group
membership and put them into the disabled group. Since that group isn't
listed in the listfile, they can't login, regardless of any other
possibilities.
--
Daniel Maher <dma + 389users AT witbe DOT net>
More information about the 389-users
mailing list