Ubuntu
auth-client-config package

The default PAM configuration for kerberos authentication allows unauthenticated SSH access

Bug #1705359 reported by Brett Profitt
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
auth-client-config (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

When configuring the Kerberos PAM module with `sudo auth-client-config -a -p kerberos_example` as instructed on https://help.ubuntu.com/14.04/serverguide/kerberos.html#kerberos-linux-client, a PAM configuration is created that allows users to authenticate with invalid passwords. This includes sudo authentication.

Attached, please find the /etc/pam.d/common-auth generated by auth-client-config.

Incorrect authentication occurs on a fresh install of at least Ubuntu 17.04 and 16.04.02 and can be replicated consistently by following the guide linked above. Note that if Kerberos is configured for an invalid realm, the problem does not exist.

I have corrected this by changing /etc/pam.d/common-auth to:

auth [authinfo_unavail=ignore success=done default=ignore] pam_krb5.so use_first_pass ignore_root debug
auth [success=done default=ignore] pam_unix.so nullok_secure debug
#auth [default=done] pam_ccreds.so action=validate use_first_pass
#auth [default=done] pam_ccreds.so action=store
#auth [default=ignore] pam_ccreds.so action=update

Here is the /var/log/auth.log session of a local and an SSH login that failed Kerberos auth but was allowed login:

Jul 19 02:15:49 ubuntu-test login[5378]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
Jul 19 02:15:49 ubuntu-test login[5378]: PAM adding faulty module: pam_foreground.so
Jul 19 02:15:49 ubuntu-test login[5378]: pam_krb5(login:auth): pam_sm_authenticate: entry
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:auth): (user brett) attempting authentication as <email address hidden>
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:auth): (user brett) krb5_get_init_creds_password: Client '<email address hidden>' not found in Kerberos database
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:auth): authentication failure; logname=brett uid=0 euid=0 tty=/dev/tty2 ruser= rhost=
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:auth): pam_sm_authenticate: exit (failure)
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:account): pam_sm_acct_mgmt: entry
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:account): skipping non-Kerberos login
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:account): pam_sm_acct_mgmt: exit (ignore)
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:session): pam_sm_open_session: entry
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:session): no context found, creating one
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:session): (user brett) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:session): pam_sm_open_session: exit (ignore)
Jul 19 02:15:51 ubuntu-test login[5378]: pam_unix(login:session): session opened for user brett by LOGIN(uid=0)
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:setcred): pam_sm_setcred: entry (establish)
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:setcred): no context found, creating one
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:setcred): (user brett) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Jul 19 02:15:51 ubuntu-test login[5378]: pam_krb5(login:setcred): pam_sm_setcred: exit (success)
Jul 19 02:15:55 ubuntu-test sshd[5452]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
Jul 19 02:15:55 ubuntu-test sshd[5452]: PAM adding faulty module: pam_foreground.so
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:auth): pam_sm_authenticate: entry (nonull)
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:auth): (user brett) attempting authentication as <email address hidden>
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:auth): (user brett) krb5_get_init_creds_password: Client '<email address hidden>' not found in Kerberos database
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:auth): authentication failure; logname=brett uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:auth): pam_sm_authenticate: exit (failure)
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:account): skipping non-Kerberos login
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore)
Jul 19 02:15:57 ubuntu-test sshd[5452]: Accepted password for brett from 10.0.2.2 port 50814 ssh2
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:setcred): pam_sm_setcred: entry (establish)
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:setcred): no context found, creating one
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:setcred): (user brett) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:setcred): pam_sm_setcred: exit (success)
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:session): pam_sm_open_session: entry
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:session): no context found, creating one
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:session): (user brett) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_krb5(sshd:session): pam_sm_open_session: exit (ignore)
Jul 19 02:15:57 ubuntu-test sshd[5452]: pam_unix(sshd:session): session opened for user brett by (uid=0)
Jul 19 02:15:57 ubuntu-test sshd[5515]: pam_krb5(sshd:setcred): pam_sm_setcred: entry (establish)
Jul 19 02:15:57 ubuntu-test sshd[5515]: pam_krb5(sshd:setcred): no context found, creating one
Jul 19 02:15:57 ubuntu-test sshd[5515]: pam_krb5(sshd:setcred): (user brett) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Jul 19 02:15:57 ubuntu-test sshd[5515]: pam_krb5(sshd:setcred): pam_sm_setcred: exit (success)

Revision history for this message
Brett Profitt (brettprofitt) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Is the problem the tool or the guide?

Thanks

affects: keychain (Ubuntu) → auth-client-config (Ubuntu)
Revision history for this message
Brett Profitt (brettprofitt) wrote :

It seems to be a problem with the stock Kerberos profile of the tool. Even though the profile is listed as an example, I don't think this is the intended effect.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks like it got introduced here:

http://bazaar.launchpad.net/~jdstrand/auth-client-config/trunk/revision/34

Marc Deslauriers (mdeslaur)
Changed in auth-client-config (Ubuntu):
status: New → Confirmed
Steve Beattie (sbeattie)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.