LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-19-2014, 04:16 PM   #1
mydogspot
LQ Newbie
 
Registered: Nov 2009
Posts: 9

Rep: Reputation: 0
PAM and netgroups


We are trying to use PAM and /etc/security/access.conf to lock down logins to our servers to specific netgroups and I think we have run into a bug. Our OS is OEL 6.5 and we are running the most recent PAM release, pam-1.1.1-17.el6.x86_64. When we first configured our servers to use netgroups they worked perfectly, but over several weeks users started getting locked out and now now one can login unless we completely disable access.conf. I had a clone of one of these servers with a VM snapshot and I rolled back to the snapshot and can now login to that server again - but I would assume I will eventually be locked out again. We have an OEL 5 server that we have set this up on as well and that has not encountered any problems. tcpdump on the OEL 5 server shows it querying our LDAP for the username, then querying for the allowed netgroups until it finds a match. But I don't see our OEL 6 servers ever querying for the netgroups. Is anyone here familiar with doing this type of authentication and/or encountered this situation?

thanks -
EJ
 
Old 03-19-2014, 06:26 PM   #2
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,933
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
What's the output of

Code:
egrep -v '^#|^$' /etc/security/access.conf
Code:
egrep -v '^#|^$' /etc/nsswitch.conf
--C
 
Old 03-20-2014, 09:30 AM   #3
mydogspot
LQ Newbie
 
Registered: Nov 2009
Posts: 9

Original Poster
Rep: Reputation: 0
# egrep -v '^#|^$' /etc/security/access.conf
+ : @sysadmin : ALL
+ : @UXorprd : ALL
- : ALL : ALL
# egrep -v '^#|^$' /etc/nsswitch.conf
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files sss
netgroup: files sss ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus

---------- Post added 03-20-14 at 09:31 AM ----------

we were using nslcd but switched it over to sssd yesterday to see if that would help, but it made no difference.
 
Old 03-20-2014, 09:59 AM   #4
mydogspot
LQ Newbie
 
Registered: Nov 2009
Posts: 9

Original Poster
Rep: Reputation: 0
And this is our pam sssd file

# cat sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_access.so debug
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth


When netgroups checking is working properly, I can see in /var/log/secure

Mar 19 14:23:22 or-CLONE sshd[9633]: pam_access(sshd:account): line 122: + : @sysadmin : ALL
Mar 19 14:23:22 or-CLONE sshd[9633]: pam_access(sshd:account): list_match: list= @sysadmin , item=ej
Mar 19 14:23:22 or-CLONE sshd[9633]: pam_access(sshd:account): user_match: tok=@sysadmin, item=ej
Mar 19 14:23:22 or-CLONE sshd[9633]: pam_access(sshd:account): netgroup_match: 1 (netgroup=sysadmin, machine=NULL, user=ej, domain=)
Mar 19 14:23:22 or-CLONE sshd[9633]: pam_access(sshd:account): user_match=1, "ej"


When it stops working, it will report user_match=0 "ej", then proceed to check the next netgroup UXorprd, then it hits the - : ALL : ALL in access.conf and kicks me off.

I have another test user account that I set up to be in both sysadmin and UXorprd netgroups and that user is failing at every step - sysadmin check, UXorprd, and then kicked off.

Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): line 122: + : @sysadmin : ALL
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): list_match: list= @sysadmin , item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match: tok=@sysadmin, item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): netgroup_match: 0 (netgroup=sysadmin, machine=NULL, user=ejtest10, domain=)
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match=0, "ejtest10"
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): line 123: + : @UXorprd : ALL
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): list_match: list= @UXorprd , item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match: tok=@UXorprd, item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): netgroup_match: 0 (netgroup=UXorprd, machine=NULL, user=ejtest10, domain=)
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match=0, "ejtest10"
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): line 124: - : ALL : ALL
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): list_match: list= ALL , item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match: tok=ALL, item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): string_match: tok=ALL, item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match=2, "ejtest10"
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): list_match: list= ALL, item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): from_match: tok=ALL, item=10.0.12.11
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): string_match: tok=ALL, item=10.0.12.11
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): from_match=2, "10.0.12.11"
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): access denied for user `ejtest10' from `10.0.12.11'
Mar 19 14:23:34 or-CLONE sshd[9656]: fatal: Access denied for user ejtest10 by PAM account configuration
 
Old 03-20-2014, 10:32 AM   #5
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,933
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
Okay, unless I misunderstood, the "@" sign is only for NIS netgroups.

If you're using LDAP or IPA or Active Directory; you don't need the "@" sign...just the group name.


test without the @ sign and see if you get different results
 
Old 03-20-2014, 11:35 AM   #6
mydogspot
LQ Newbie
 
Registered: Nov 2009
Posts: 9

Original Poster
Rep: Reputation: 0
This is an NIS netgroup that we are using, but this seems to be working now removing the @. I created a new user that has never had access to either of my allowed groups and that user is being blocked. However, I removed my other test user from both groups (it had previously been in both of my test groups) and that user is still able to login. I tried restarting nslcd but still can login. Could the user info for the old user be cached somehow?
 
Old 03-20-2014, 03:06 PM   #7
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,933
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
Quote:
Originally Posted by mydogspot View Post
This is an NIS netgroup that we are using, but this seems to be working now removing the @. I created a new user that has never had access to either of my allowed groups and that user is being blocked. However, I removed my other test user from both groups (it had previously been in both of my test groups) and that user is still able to login. I tried restarting nslcd but still can login. Could the user info for the old user be cached somehow?

Are you using sssd? If so then yes, the user may be cached


--C
 
Old 03-21-2014, 05:13 PM   #8
dyurk
LQ Newbie
 
Registered: Mar 2014
Posts: 1

Rep: Reputation: Disabled
We had a similar issue. Try to invalidate the netgroup's cache.

Quote:
nscd -i netgroup
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
restrict login to nis netgroups kapilcool Linux - Software 2 11-01-2007 03:26 PM
netgroups ikinnu Linux - Networking 2 08-03-2007 01:27 AM
LXer: Configure IBM LDAP netgroups with Windows Active Directory server LXer Syndicated Linux News 0 04-20-2007 09:02 AM
Issues with NIS and netgroups Wells Debian 0 10-17-2005 11:16 AM
Advice on Netgroups File with NIS lemay_jeff Linux - Networking 0 10-27-2004 11:26 AM


All times are GMT -5. The time now is 07:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration