NIS, PAM, OpenSSH. Seems to work perfectly (one minor concern)

paul at xtdnet.nl paul at xtdnet.nl
Thu Mar 9 01:17:33 EST 2000


I just spent some time trying to figure out how to get OpenSSH to work
correctly with NIS and PAM. It seems to work fine, apart from one minor
worry I still have (see below).
Feedback about grave security risks are welcome :)

This is using RedHat 6.1 with updates and the OpenSSH 1.2.2p1-1 RPM's on
the NIS server as well as the client.

In short, my configuration is:

/etc/nssswitch.conf:

passwd:     compat
group:      compat
shadow:     files nis

in /etc/passwd I added:

+ at staff::::::
+::::::/bin/nologin

/etc/pam.d/login:

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_unix_auth.so
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_unix_acct.so
password   required	/lib/security/pam_cracklib.so
password   required     /lib/security/pam_unix_passwd.so
session    required     /lib/security/pam_unix_session.so

/etc/pam.d/ssh

#%PAM-1.0
auth       required     /lib/security/pam_pwdb.so shadow nodelay
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
session    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_limits.so

I'm not using MD5 (Though I thought I was, must have been caused by a RedHat
update).

I'm using the default /etc/ssh settings

In this setup, I can login as the local users. The NIS users in the netgroup
staff can login fine, and NIS users not in that netgroup get /bin/nologin.
Users have a shared homedir, and the ones that have done:
cat .ssh/identity.pub >> .ssh/authorized_keys
can also not login when not in the stafdf netgroup.
And when NIS isn't running, it nicely fakes authlookup for NIS users (any
non local users actually) and local users can still nicely login. Excellent!

Now, in the above case where a user is not a member of the netgroup, I
tried to execute a command using ssh:

ssh -l test host /bin/date

The client gives me:
debug: Trying RSA authentication with key 'paul at host'
debug: Received RSA challenge from server.
debug: Sending response to host key RSA challenge.
debug: Remote: RSA authentication accepted.
debug: RSA authentication accepted by server.
debug: Sending command: /bin/date
debug: Entering interactive session.
Environment:
  USER=paul
  LOGNAME=paul
  HOME=/vol/staff/paul
  PATH=/usr/bin:/bin:/usr/sbin:/sbin
  MAIL=/var/spool/mail/paul
  SHELL=/bin/nologin
  SSH_CLIENT=127.0.0.1 622 22
You have no login on this machine, go away.

and the server:
debug: Starting up PAM with username "paul"
debug: Attempting authentication for paul.
Accepted rsa for paul from 127.0.0.1 port 622
debug: PAM setting rhost to "localhost"
debug: Executing command '/bin/date'
debug: PAM establishing creds
debug: Entering interactive session.
debug: Received SIGCHLD.
debug: End of interactive session; stdin 0, stdout (read 44, sent 44), stderr
179 bytes.
debug: Command exited with status 0.
debug: Received exit confirmation.
Closing connection to 127.0.0.1

Mar  8 15:09:45 bofh sshd[2356]: Accepted rsa for paul from 127.0.0.1 port 622
Mar  8 15:10:48 bofh sshd[2356]: Closing connection to 127.0.0.1
Mar  8 15:10:48 bofh PAM_pwdb[2356]: (sshd) session closed for user paul

My question is if it is possible to change /etc/pam.d/ssh so that the session
can still be disallowed. It doesn't seem to execute /bin/date but it's trying
much to hard imho.
One solution would be ofcourse only to put those netgroup/users in that are
allowed to have a login, but for instance that won't work nicely on the mail
server, where all accounts need to exist, and the users are not allowed to
login.

But, I'm quite pleased with OpenSSH within the NIS/Pam/Linux environment as it
is right now. Cheers to those that deserve it :)

Paul
PS. On a side note, the previous version I tried OpenSSH-1.2.1pre11
didn't work.







More information about the openssh-unix-dev mailing list