The default PAM configuration for kerberos authentication allows unauthenticated SSH access
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
auth-client-config (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
When configuring the Kerberos PAM module with `sudo auth-client-config -a -p kerberos_example` as instructed on https:/
Attached, please find the /etc/pam.
Incorrect authentication occurs on a fresh install of at least Ubuntu 17.04 and 16.04.02 and can be replicated consistently by following the guide linked above. Note that if Kerberos is configured for an invalid realm, the problem does not exist.
I have corrected this by changing /etc/pam.
auth [authinfo_
auth [success=done default=ignore] pam_unix.so nullok_secure debug
#auth [default=done] pam_ccreds.so action=validate use_first_pass
#auth [default=done] pam_ccreds.so action=store
#auth [default=ignore] pam_ccreds.so action=update
Here is the /var/log/auth.log session of a local and an SSH login that failed Kerberos auth but was allowed login:
Jul 19 02:15:49 ubuntu-test login[5378]: PAM unable to dlopen(
Jul 19 02:15:49 ubuntu-test login[5378]: PAM adding faulty module: pam_foreground.so
Jul 19 02:15:49 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_unix(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(
Jul 19 02:15:55 ubuntu-test sshd[5452]: PAM unable to dlopen(
Jul 19 02:15:55 ubuntu-test sshd[5452]: PAM adding faulty module: pam_foreground.so
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: Accepted password for brett from 10.0.2.2 port 50814 ssh2
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_unix(
Jul 19 02:15:57 ubuntu-test sshd[5515]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5515]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5515]: pam_krb5(
Jul 19 02:15:57 ubuntu-test sshd[5515]: pam_krb5(
Changed in auth-client-config (Ubuntu): | |
status: | New → Confirmed |
information type: | Private Security → Public Security |
Is the problem the tool or the guide?
Thanks