SSH Gateway: Auth and Auth
1. |
Previous Doc |
2. |
What we want |
-- authentication from ITServices LDAP
-- but authorisation from local files/service
-- i.e., want to use central credentials, but want only those on our
local list to be able to login
3. |
Two Methods |
According to the Debian Wiki, there are two ways of using LDAP for authentication:
- pam_ldap can be used to attempt an authenticated bind to the LDAP server.
- Alternatively, the LDAP server can be persuaded to expose hashed passwords to the client (us!) and pam_unix does the authentication.
We use the authenticated-bind method.
4. |
ldap.man.ac.uk vs ldap.manchester.ac.uk and nscd |
- ldap.man.ac.uk is Far Too Slow
-
ldap.manchester.ac.uk should be used for authentication. This takes
about 10 seconds for a login; ldap.man.ac.uk takes about five
minutes — lack of required indices???
ldapsearch is fine with either - nscd
- Even with ldap.manchester.ac.uk, logins can take 10 seconds and, e.g., ls -l can take the same 10 seconds. So install and use the nscd to subsequent logins and ls -l are instant.
- Make sure /etc/ldap/ldap.conf is set to use SSL — see above.
- If we don't add the above tls_reqcert and tsl_cacertdir
entries we get
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)The above can be trouble-shot thusly:ldapsearch -d5 -D 'cn=mpciish2,ou=mc,ou=admin,ou=uman,o=ac,c=uk' -W -H ldaps://ldap.manchester.ac.uk uid=mpciish2 # ...that's "-d5"... ldap_url_parse_ext(ldaps://ldap.man.ac.uk) ldap_create ldap_url_parse_ext(ldaps://ldap.man.ac.uk:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.man.ac.uk:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 130.88.101.141:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) - uses ITServices LDAP for authentication, but
- local flat files for authorisation;
- And can use local flat files for authentication too, for non-central
credentials.
11.1.
Some Doc
- auth
- Provide the authentication, e.g., checking password (or Kerberos tickets).
- account
- Provide authorisation.
- session
- Used to do post auth/account stuff, e.g., mount home-dir.
- password
- Password changing stuff.
11.2.
The Config
/etc/pam.d/common-auth:
auth sufficient pam_unix.so auth sufficient pam_ldap.so try_first_pass # # ...try local flat files first, then LDAP... # auth requisite pam_deny.so auth required pam_permit.so ##auth [success=2 default=ignore] pam_unix.so nullok_secure ##auth [success=1 default=ignore] pam_ldap.so use_first_pass/etc/pam.d/common-account:
account sufficient pam_unix.so # # ...local flat files only... # account requisite pam_deny.so account required pam_permit.so ##account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so ##account [success=1 default=ignore] pam_ldap.so/etc/pam.d/common-session:
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_ldap.so
/etc/pam.d/common-password:
password sufficient pam_unix.so obscure sha512 try_first_pass password requisite pam_deny.so password required pam_permit.so
11.3.
Debian Default Config with LDAP (from pam-auth-update)
This does LDAP authentication, as required, but allows all of UoM people to login! Not what we want!
/etc/pam.d/common-auth:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so
/etc/pam.d/common-account:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so
/etc/pam.d/common-session:
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_ldap.so session optional pam_systemd.so
/etc/pam.d/common-password:
password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so
12.
Example User Authentication and Authorisation
/etc/passwd
/etc/shadow
. . . . statd:*:15443:0:99999:7::: sshd:*:15443:0:99999:7::: . . . . simonh:$6$t....asM0:15448:0:99999:7::: mpciish2:$6$y....LDN1:15449:0:99999:7:::
- simonh can login on this machine using local authentication (i.e., local flat files).
- mpciish2 can login with central ITS password.
- mpciish2 can also login with local password (authenticated against the above flat files.
- No other UoM users can login in, end of.
5. |
Install Some Packages |
-- apt-get install ldap-utils
-- for testing things only (includes ldapsearch), not required for our
authentication
-- apt-get install libpam-ldap
-- apt-get install libnss-ldap
6. |
LDAP Utils (e.g., ldapsearch) and /etc/ldap/ldap.conf |
We want to test authenticated binds against the LDAP server. If this does not work then we are never gonna get anywhere.
6.1. |
Config: /etc/ldap/ldap.conf |
The LDAP utilities installed from ldap-utils use /etc/ldap/ldap.conf:
URI ldap://ldap.man.ac.uk
# ...or ldap.manchester.ac.uk...
# -- plain text connections (for debugging only) :
ssl no
# ...swap "ssl no" for "ssl start_tls" plus the two lines below...
# -- encrypted connections (for production purposes) :
##ssl start_tls
## tls_reqcert never
## tls_cacertdir /etc/openldap/cacerts
so that we don't have to specify the URI (or host) to the utils at the command
line (e.g., -h <host> or -H <uri>).
6.2. |
Non-authenticated, plain text connections: |
ldapsearch -x "cn=mpciish2"works without the need to specify "-h ldap.man.ac.uk" (see above).
6.3. |
Authenticated secure connections: |
ldapsearch -x -D 'cn=mpciish2,ou=mc,ou=admin,ou=uman,o=ac,c=uk' -W -H ldaps://ldap.manchester.ac.uk uid=mpciish2
Notes:
To-do: add certificate later — for ldap.manchester.ac.uk.
7. |
PAM Configuration for Authentication |
7.1. |
/etc/pam_ldap.conf: |
host ldap.manchester.ac.uk
base ou=uman,o=ac,c=uk
scope sub
#
# -- attributes and values for authentication :
#
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password md5
##pam_password clear
#
# -- do we use, SSL or TLS (defaults to "no") :
#
##ssl no
ssl start_tls
#
# ...set to no for wireshark(tshark)/tcpdump debugging of connection...
#
#
# -- do we worry about man-in-the-middle attacks?
#
tls_reqcert never
tls_cacertdir /etc/openldap/cacerts
# ...under some circumstances it seems that if referred to by "tls_cacertdir", this
# directory must exist even if "tls_reqcert" is set to "never", otherwise authentication
# will fail...
To-do: add certificate later — for ldap.manchester.ac.uk.
7.2. |
/etc/nsswitch.conf, /etc/nss_ldap.conf and /etc/libnss-ldap.conf |
-- nsswitch.conf:
passwd: files
group: files
shadow: files
i.e., _not_ required, apparently:
passwd: files ldap
group: files ldap
shadow: files ldap
-- libnss-ldap.conf
# ...not actually sure this is used...
base ou=uman,o=ac,c=uk
uri ldapi://ldap.manchester.ac.uk
ldap_version 3
rootbinddn cn=manager,dc=example,dc=net
# ...since this is clearly wrong...
7.3. |
Questions/Answers |
-- don't appear to need <C>ldap</C>-related entries in <C>/etc/nsswitch.conf</C>
or nss_ldap.conf/libnss-ldap.conf
-- is that all for the old <C>pam_unix.so</C>-related way of handling LDAP
authentication???
8. |
Troubleshooting — tshark |
Solaris vs RedHat Linux vs Debian Linux: all sufficiently different that it never works the first time. . .
Use plain text connections for this!!!
To check authenticated bindRequests, for example, are the credentials (e.g., password), being sent correctly:
tshark -x -R "ip.addr == 130.88.101.134"
# ...ldap.manchester.ac.uk...
For example, some output from ldapsearch -x -D 'cn=mpciish2,ou=mc,ou=admin,ou=uman,o=ac,c=uk' -W uid=mpciish2:
8.232901 130.88.99.1 -> 130.88.101.141 LDAP bindRequest(1) "cn=mpciish2,ou=mc,ou=admin,ou=uman,o=ac,c=uk" simple
0000 00 0b 60 5c 13 c0 00 50 56 ab 00 6f 08 00 45 00 ..`\...PV..o..E.
0010 00 6a 88 13 40 00 40 06 e5 3b 82 58 63 01 82 58 .j..@.@..;.Xc..X
0020 65 8d be 32 01 85 a8 d2 a4 01 c4 9e 59 7b 50 18 e..2........Y{P.
0030 00 2e cd 9b 00 00 30 40 02 01 01 60 3b 02 01 03 ......0@...`;...
0040 04 2c 63 6e 3d 6d 70 63 69 69 73 68 32 2c 6f 75 .,cn=mpciish2,ou
0050 3d 6d 63 2c 6f 75 3d 61 64 6d 69 6e 2c 6f 75 3d =mc,ou=admin,ou=
0060 75 6d 61 6e 2c 6f 3d 61 63 2c 63 3d 75 6b 80 08 uman,o=ac,c=uk..
0070 31 32 33 34 35 36 37 38 12345678
clearly shows the (duff) password of 12345678 and the bind/search works if the correct
password is supplied.
9. |
Authentication Fails — apt-get install libnss-ldap |
Using tshark as above to look at failing LDAP authentication:
-- e.g., ssh -l mpciish2 127.0.0.1
-- never see the password as above, only the phrase "...INCORRECT", so
something fundamental is amiss
-- apt-get install libnss-ldap
(link -s libnss-ldap.conf to ldap.conf ??)
-- Now it works!
10. |
More diagnostics: |
getent passwd mpciish2 mpciish2:*:10001:10000:Simon Hood:/home/mpciish2:/bin/bash getent passwd mccssmb2 mccssmb2:*:249380:11000:Michael Bane:/home/mccssmb2:/bin/bash
11. |
PAM Module Config: /etc/pam.d/* |
-- Final: Make local account REQUIRED -- don't want all UoM to be able to login...
Our customised version which