SSH Server is running on a RHEL 6.4 system with version sssd-1.9.2-82.7.el6_4.x86_64.
I'm using access_provider = ldap in sssd.conf and ldap_access_filter = memberOf=cn=GoodUsers,ou=x,ou=y,o=z
This is working as intended but remote ssh users not in group GoodUsers are simply disconnected with no error message after successfully authenticating via authorized_keys or LDAP password.
Is there a way to better inform the end user the general reason for the disconnect?
Current behavior:
[usr1@test-client Desktop]$ ssh test-server *Connection closed by* 192.168.1.22
[root@test-server ~]# tail -1 /var/log/secure Aug 15 11:40:20 test-server sshd[5562]: *fatal*: Access denied for user usr1 by PAM account configuration
Thanks in advance.
On Thu, 2013-08-15 at 12:06 -0400, Sophit4 wrote:
SSH Server is running on a RHEL 6.4 system with version sssd-1.9.2-82.7.el6_4.x86_64.
I'm using access_provider = ldap in sssd.conf and ldap_access_filter = memberOf=cn=GoodUsers,ou=x,ou=y,o=z
This is working as intended but remote ssh users not in group GoodUsers are simply disconnected with no error message after successfully authenticating via authorized_keys or LDAP password.
Is there a way to better inform the end user the general reason for the disconnect?
I do not think SSH will allow you to do that. The author sees dropping any further communication as soon as the user is denied as a security feature I believe.
They do the same on password changes.
Simo.
Current behavior:
[usr1@test-client Desktop]$ ssh test-server Connection closed by 192.168.1.22
[root@test-server ~]# tail -1 /var/log/secure
Aug 15 11:40:20 test-server sshd[5562]: fatal: Access denied for user usr1 by PAM account configuration
Thanks in advance.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Thank you for your response and I accept your explanation.
Here's why I'm concerned: this particular internal site has SSH client users who will be confused by an apparent successful authentication (password accepted without feedback) followed by an abrupt, uninformative disconnect.
FYI, with the pam_ldap-185-11.el6.x86_64 based configured with the following in /etc/pam_ldap.conf on RHEL 6.4
pam_groupdn cn=GoodUsers,ou=x,ou=y,o=z
and the same sshd package, I get the following when the test group isn't available in the LDAP tree:
[test-client Desktop]$ ssh test-server *You must be a member of cn=GoodUsers,ou=x,ou=y,o=z to login.* Connection closed by 111.222.123.45 [test-client Desktop]$
But when /etc/security/access.conf is configured with precedence in /etc/pam.d/ files, the disconnect is also abrupt like SSS.
On Mon, Aug 19, 2013 at 8:23 AM, Simo Sorce simo@redhat.com wrote:
On Thu, 2013-08-15 at 12:06 -0400, Sophit4 wrote:
SSH Server is running on a RHEL 6.4 system with version sssd-1.9.2-82.7.el6_4.x86_64.
I'm using access_provider = ldap in sssd.conf and ldap_access_filter = memberOf=cn=GoodUsers,ou=x,ou=y,o=z
This is working as intended but remote ssh users not in group GoodUsers are simply disconnected with no error message after successfully authenticating via authorized_keys or LDAP password.
Is there a way to better inform the end user the general reason for the disconnect?
I do not think SSH will allow you to do that. The author sees dropping any further communication as soon as the user is denied as a security feature I believe.
They do the same on password changes.
Simo.
Current behavior:
[usr1@test-client Desktop]$ ssh test-server Connection closed by 192.168.1.22
[root@test-server ~]# tail -1 /var/log/secure
Aug 15 11:40:20 test-server sshd[5562]: fatal: Access denied for user usr1 by PAM account configuration
Thanks in advance.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
-- Simo Sorce * Red Hat, Inc * New York
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/19/2013 01:48 PM, Sophit4 wrote:
Thank you for your response and I accept your explanation.
Here's why I'm concerned: this particular internal site has SSH client users who will be confused by an apparent successful authentication (password accepted without feedback) followed by an abrupt, uninformative disconnect.
FYI, with the pam_ldap-185-11.el6.x86_64 based configured with the following in /etc/pam_ldap.conf on RHEL 6.4
pam_groupdn cn=GoodUsers,ou=x,ou=y,o=z
and the same sshd package, I get the following when the test group isn't available in the LDAP tree:
[test-client Desktop]$ ssh test-server *You must be a member of cn=GoodUsers,ou=x,ou=y,o=z to login.*
This is generally a bad practice, as it gives a potential attacker information about what they need to do in order to gain access. I'd agree that you should at least see "Access denied by server configuration" so you know it's kicking you out on purpose (rather than a bug). Feel free to file an RFE against SSSD about this.
On Mon, Aug 19, 2013 at 01:51:46PM -0400, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/19/2013 01:48 PM, Sophit4 wrote:
Thank you for your response and I accept your explanation.
Here's why I'm concerned: this particular internal site has SSH client users who will be confused by an apparent successful authentication (password accepted without feedback) followed by an abrupt, uninformative disconnect.
FYI, with the pam_ldap-185-11.el6.x86_64 based configured with the following in /etc/pam_ldap.conf on RHEL 6.4
pam_groupdn cn=GoodUsers,ou=x,ou=y,o=z
and the same sshd package, I get the following when the test group isn't available in the LDAP tree:
[test-client Desktop]$ ssh test-server *You must be a member of cn=GoodUsers,ou=x,ou=y,o=z to login.*
This is generally a bad practice, as it gives a potential attacker information about what they need to do in order to gain access. I'd agree that you should at least see "Access denied by server configuration" so you know it's kicking you out on purpose (rather than a bug). Feel free to file an RFE against SSSD about this.
Sorry to come late to the thread, I'm still going through mail after vacation. I agree with Stephen, we recently fixed a similar RFE where binding with the old password in case of a password change also printed a message saying "Old password not accepted". I think this falls into the same bucket.
We might only print this extended access control mechanism if the pam responder is running in some sort of verbose mode (controlled by the pam_verbosity parameter) but that's tdb.
On Mon, 2013-08-19 at 13:48 -0400, Sophit4 wrote:
Thank you for your response and I accept your explanation.
Here's why I'm concerned: this particular internal site has SSH client users who will be confused by an apparent successful authentication (password accepted without feedback) followed by an abrupt, uninformative disconnect.
FYI, with the pam_ldap-185-11.el6.x86_64 based configured with the following in /etc/pam_ldap.conf on RHEL 6.4
pam_groupdn cn=GoodUsers,ou=x,ou=y,o=z
and the same sshd package, I get the following when the test group isn't available in the LDAP tree:
[test-client Desktop]$ ssh test-server You must be a member of cn=GoodUsers,ou=x,ou=y,o=z to login. Connection closed by 111.222.123.45 [test-client Desktop]$
Ok it seem like a message may be returned by pam, can you open a RFE(*) ticket to support this in pam_sss ? If anything can be doen that's where we can do it.
But when /etc/security/access.conf is configured with precedence in /etc/pam.d/ files, the disconnect is also abrupt like SSS.
I guess pam_access is not returning messages either.
Simo.
(*) Request For Enhancement
On Mon, Aug 19, 2013 at 8:23 AM, Simo Sorce simo@redhat.com wrote: On Thu, 2013-08-15 at 12:06 -0400, Sophit4 wrote: > SSH Server is running on a RHEL 6.4 system with version > sssd-1.9.2-82.7.el6_4.x86_64. > > I'm using access_provider = ldap in sssd.conf and ldap_access_filter = > memberOf=cn=GoodUsers,ou=x,ou=y,o=z > > > This is working as intended but remote ssh users not in group > GoodUsers are simply disconnected with no error message after > successfully authenticating via authorized_keys or LDAP password. > > > Is there a way to better inform the end user the general reason for > the disconnect?
I do not think SSH will allow you to do that. The author sees dropping any further communication as soon as the user is denied as a security feature I believe. They do the same on password changes. Simo. > > Current behavior: > > > [usr1@test-client Desktop]$ ssh test-server > Connection closed by 192.168.1.22 > > [root@test-server ~]# tail -1 /var/log/secure > > Aug 15 11:40:20 test-server sshd[5562]: fatal: Access denied for user > usr1 by PAM account configuration > > > > Thanks in advance. > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Simo Sorce -
Sophit4 -
Stephen Gallagher