Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-20-2008, 12:43 PM
|
#1
|
Member
Registered: Mar 2008
Location: UK
Distribution: Fedora, Gentoo
Posts: 209
Rep:
|
Question about PAM authentication across a network
As the title says, I'm a bit confused about PAM. I believe I understand how it works in most of the tutorial/documented systems. First, I'll try to explain how I think it works to authenticate users to, say, a SQUID proxy server.
With a SQUID server which is PAM enabled, and has access controls, it takes the received password hash and uses whatever PAM rules it's got locally to check it. For instance, it might use the local, server based /etc/passwd, might check with an LDAP server, or whatever. Provided the user,password and everything else is valid, the connection is allowed. Am I right about this?
My question is: What happens if you want extra information apart from just the username and password? From across the network? For instance,for local logins, there are modules for checking bluetooth devices, usb tokens, and loads of other stuff. What happens if the SQUID server wants to check not only the password supplied, but also a usb token attached to the client machine (perhaps via a challenge response to a smart card). Is this possible? Furthermore, AFAIK (and I'm probably wrong), the transfer of the initial token (password, username or whatever) takes place using whatever protocol the normal, 'pamless' client/server transfer would take place. In the case of SQUID, that's just basic http authentication. Not really secure enough for those of a paranoid disposition. Again, if I'm wrong about any of this, please correct me.
What I would like to know is are there pam modules around that can initiate a 'request for more information' back to the client through a suitably secured (SSL maybe) network socket? Maybe I'm missing something, but I can't find anything that looks like it can do this.I suppose it would need a 'pam server' on the client, which sits and waits for requests. Does anyone know of such a system?
Thanks for reading, and I hope someone can shed some light on what is probably me missing the point. It just seems that it doesn't matter how many ways the server can check a password/token if said token has been sent across a relatively insecure connection.
Cheers
Beadyallen
|
|
|
03-21-2008, 04:56 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
i'm not a pam guru per se, but you're certainly on the right path. if you have smart tokens and such, such as Wikid, then they have a protocol interface, often actually RADIUS, which pam can communicate with through it's back ends. The presence of a usb device would require local software to be running which would handle the acknowledgement of it. Not sure how PAM relates to that, but i'd *imagine* that on the PAM side it would refer to a bespoke back end module and that would go talk to the client using it's own protocols and then replying back.
as for user logins and such, PAM doesn't deal with those. that's controlled with /etc/nsswitch.conf and the structures around that. you'd go through to bind to your ldap server within PAM to prove you are you, and then seperately look up to ldap details to know your uid, home dir and such.
|
|
|
03-26-2008, 12:16 PM
|
#3
|
LQ Newbie
Registered: Mar 2008
Posts: 18
Rep:
|
Beadyallen:
I am not familiar with a pam module that would ask for additional information. More importantly, asking for more information is not multi-factor authentication. It is just more one-factor authentication . If you think about it from the potential attacks, that becomes clearer.
The security of the connection is a problem in two ways (at least : 1. someone can intercept the credentials and attempt to re-use them. 2. There could be a man-in-the-middle that is intercepting and replaying the session data even is SSL is being used (since users often accept fake certs).
So, there are two solutions to these problems. First, you use a one-time password system so stealing the credentials doens't do you any good. Second, you use some form of mutual authentication to make sure the user is talking to the correct SSL server.
Here's a document I did on adding two-factor authentication to squid:
http://www.wikidsystems.com/document...wo-factor/view
And here's some info on mutual authentication:
http://www.wikidsystems.com/learn-mo...authentication
HTH,
Nick
|
|
|
03-26-2008, 12:58 PM
|
#4
|
Member
Registered: Mar 2008
Location: UK
Distribution: Fedora, Gentoo
Posts: 209
Original Poster
Rep:
|
Thanks acid and nick. What I had envisaged was some sort of 'universal' pam_net_auth module, that can connects to a daemon on the client (the machine requesting authorisation), and can run pam modules installed there. Provided everything was properly secured with certificates etc, there shouldn't be (in theory anyway ) any problem with MITM attacks. So once pam_net_auth connects to the client, it can query things like smart cards, usb tokens or whatever.
What I've realised subsequently is that this approach wouldn't really work. PAM modules are only able to supply yes and no answers to authentication requests. You'd therefore have to trust the client machine's pam modules (which ideally you wouldn't need to do). I just hadn't thought things through.
So I think the only way around it (at the moment) is to have a similar system (pam module on the server that connects to a client side daemon), but with a new set of plugins enabling authentication to local devices (probably just a smart card or OTP generator). The server sends a challenge to the client's daemon, which then transfers it to the actual smart card. The response from the smartcard is then relayed back to the server, where it can check to see if authorization was successful. In this way, the client machine doesn't need to be trusted, since it can't reproduce the result of the challenge (only the 'secure' smart card can do that). You might be able to do something similar with a pure software process as long as the executable could be trusted (properly permissioned files etc).
Anyway, my original post was really just asking if something like this exists already. I might have a play around to see what I can get running.
Thanks again both of you.
Last edited by beadyallen; 03-26-2008 at 01:02 PM.
|
|
|
03-27-2008, 09:05 AM
|
#5
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,887
|
I'm not sure that what you are looking for is within the architectural scope of PAM. As far as I am aware, the rules of PAM are all "inward facing." In other words, the rules on this machine apply to this machine and are consulted by this machine even if one of the modules subsequently sends a query out to another machine to obtain approval.
|
|
|
03-27-2008, 11:59 AM
|
#6
|
Member
Registered: Mar 2008
Location: UK
Distribution: Fedora, Gentoo
Posts: 209
Original Poster
Rep:
|
Thanks sundialsvcs. I've come to the same conclusion. PAM just isn't designed for what I'm proposing. I think what I want would require a seperate client/server architecture. This could then be accessed through PAM modules, but wouldn't be part of PAM itself.
I've had a look around, and it seems that some things exist that are similar to what I am looking for, but not really generic enough. For instance, WikID mentioned in previous posts is part of the way there. The problem is, it still requires user interaction (a user has to get the new otp from the WikID server, and then send it to squid, which then checks the otp with the WikID server. This seems a little longwinded to me. Not to mention that the transfer of the token between client and server potentially takes place across insecure sockets (http auth in squid for example). It seems to defeat some of the point of the WikID server <-> WikID client communications being encrypted, and might allow for MITM attacks. Still, I've not looked too deeply, so maybe I'm wrong.
It'd be nice to have a framework whereby the server can authenticate directly with the client, by accessing hardware tokens, fingerprints, or whatever. I suppose it could be through a third party, like the WikID server, but it should be transparent to the user.
Also, the way I see it, with PAM at the moment, you can only ever send one identifying token to squid. Whether that is a normal password, otp, fingerprint or anything else is really not the point. It's still one factor authentication, even if that factor is strong and can change every time.
There are alternatives. For instance, I've just been reading about SPNEGO, which apparently Squid will support. But it's far from perfect (using Kerberos and all its problems), and it's only for Squid. I'm wanting a generic framework, like PAM, but 'network enabled'. Oh, and the moon on a stick if anyone's got it .
Thanks again
beady
|
|
|
All times are GMT -5. The time now is 09:36 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|