Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: SOCKS proxy & PAM configuration exposure
Top Forums UNIX for Advanced & Expert Users SOCKS proxy & PAM configuration exposure Post 302986627 by rbatte1 on Monday 28th of November 2016 12:02:49 PM
Old 11-28-2016
SOCKS proxy & PAM configuration exposure
I've got a problem with a proxy configuration. We have an LDAP group that lists all users who are authorised to use the proxy to FTP (usually Filezilla) out to the world, and by implication those not in the group should be denied. My users are delighted that this has been enabled and those that wish to get out can do so, however we're not stopping anyone not in the group (and therefore not authorised)

We found this out because I'm not authorised but whilst troubleshooting for a user I connected out no problem. That ended up being a user password problem, so they failed the LDAP check and so PAM prevented the connection.

I haven't got a test server so I will have to get a slot outside business hours (which will be a nightmare in itself) to try out my thoughts but I wanted to sanity check it first. The server is running CentOS The proxy server is SOCKS in /usr/sbin/ss5 and running as the root user.

My suspicion is about the PAM file, /etc/pam.d/ss5 and the way it has been set up. We have this:-
Code:
#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
auth       required     pam_wheel.so use_uid group=SocksUsers
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

My theory is that the line defining the allowed group also includes the use_uid option and given that the ss5 daemon is running as the super-user everyone is automatically authenticated. There is a proxy authentication required, but messages is /var/log/secure give me this when I authenticate to the proxy correctly and give invalid credentials to an internet-based FTP site:-
Code:
Nov 28 15:03:14 gateway-b ss5: pam_unix(ss5:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=donald.trump
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): getting password (0x00000008)
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): pam_get_item returned a password
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): user 'donald.trump' granted access

Yes, some Windoze joker created me a test account with that name. Sorry about that. No political persuasion inferred, naturally - I'm British after all.


Before I try to get a slot, does anyone want to contradict my theory? I'd be grateful for avoiding unnecessary effort if I've gone off on the wrong track.



Many thanks, in advance,
Robin
 

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Pam configuration

I have suse (SLES 9) machine,I would like to know how to creat a PAM configure file for ldap authentication and loading it using a "config" argument to pam_ldap.so Thanks for your help (0 Replies)
Discussion started by: hassan1
0 Replies

2. UNIX for Dummies Questions & Answers

reread pam configuration

Hi. i am on solaris. I have changed pam configuration. Do i need to let pam re-read its configuration again? If so, how can i do it? ps -ef | grep -i pam, returns no hits. Rgds (0 Replies)
Discussion started by: yls177
0 Replies

3. IP Networking

proxy DNS configuration

i have the DNS and the web proxy services running on one of my sun machines....the funny thing is clients use the proxy server by addressing it with its IP address only....what i need is to assign it like...proxy.amu.edu.et...... my guess is the problem is the configuration with the DNS ...but i... (2 Replies)
Discussion started by: henokia4j
2 Replies

4. Red Hat

PAM configuration: Kerberos authentication and NIS authorization problem

Hi, I've configured two linux boxes to authenticate against Windows Active Directory using Kerberos while retrieving authorization data (uids, gids ,,,)from NIS. The problem I ran into with my PAM configuration is that all authentication attempts succeed in order.i.e. if someone tried his... (0 Replies)
Discussion started by: geek.ksa
0 Replies

5. IP Networking

SQUID Proxy server configuration

Can any one direct me to the resources where I can find in-depth instructions on Squid Proxy server and its configuration? Thanks in advance.:) (1 Reply)
Discussion started by: admin_xor
1 Replies

6. UNIX for Advanced & Expert Users

Squid Dynamic Proxy Server Configuration

Hello all, I am trying to configure squid proxy server for different organizations. These organizations will have different blocked ports, different acls, etc. But, I can use only one proxy server for this purpose. Thinking of making a shell script with iptables and squid. For an example: a... (1 Reply)
Discussion started by: admin_xor
1 Replies

7. Shell Programming and Scripting

AIX pam ssh/sshd configuration not allowing sed or awk

This is a weird problem. Following is my code. /opt/quest/bin/vastool configure pam sshd /opt/quest/bin/vastool configure pam ssh cat /etc/pam.conf | \ awk '$1=="ssh"||$1=="sshd"||$1=="emagent"{sub("prohibit","aix",$NF);}1' OFS='\t' > /etc/pam.conf cat /etc/ssh/sshd_config | \ sed -e... (2 Replies)
Discussion started by: pjeedu2247
2 Replies

8. UNIX for Dummies Questions & Answers

Can't connect through ssh socks proxy to certain sites

Hello, i setup an open socks proxy on my remote vps: ssh -f -N -D 0.0.0.0:1080 localhost and then allowed only connections from IP of my home computer iptables -A INPUT --src myhomeip -p tcp --dport 1080 -j ACCEPT iptables -A INPUT -p tcp --dport 1080 -j REJECT but it appears that im... (3 Replies)
Discussion started by: postcd
3 Replies

9. Shell Programming and Scripting

Proxy socks tester issue

I have a list of ip socks / port(eg: 192.168.0.1 80). I would like to write a bash to test automatically these addresses in a loop with firefox. The problem is that firefox process stays alive even when firefox does not work because of wrong network settings. So I want to kill the process when the... (3 Replies)
Discussion started by: arpagon
3 Replies

LEARN ABOUT CENTOS

fingerprint-auth-ac

SYSTEM-AUTH-AC(5)						File Formats Manual						 SYSTEM-AUTH-AC(5)

NAME

       system-auth-ac,	password-auth-ac,  smartcard-auth-ac, fingerprint-auth-ac, postlogin-ac - Common configuration files for PAMified services
       written by authconfig(8)

SYNOPSIS

       /etc/pam.d/system-auth-ac

DESCRIPTION

       The purpose of this configuration file is to provide common configuration file  for  all  applications  and  service  daemons  calling  PAM
       library.

       The system-auth configuration file is included from all individual service configuration files with the help of the include directive. When
       authconfig(8) writes the system PAM configuration file it replaces the default system-auth file with a symlink pointing	to  system-auth-ac
       and writes the configuration to this file. The symlink is not changed on subsequent configuration changes even if it points elsewhere. This
       allows system administrators to override the configuration written by authconfig.

       The  authconfig	now  writes  the  authentication  modules  also  into  additional  PAM	configuration  files  /etc/pam.d/password-auth-ac,
       /etc/pam.d/smartcard-auth-ac, and /etc/pam.d/fingerprint-auth-ac.  These configuration files contain only modules which perform authentica-
       tion with the respective kinds of authentication tokens.  For example /etc/pam.d/smartcard-auth[-ac] will not contain pam_unix and pam_ldap
       modules and /etc/pam.d/password-auth[-ac] will not contain pam_pkcs11 and pam_fprintd modules.

       The  file  /etc/pam.d/postlogin-ac  contains  common services to be invoked after login. An example can be a module that encrypts an user's
       filesystem or user's keyring and is decrypted by his password.

       The PAM configuration files of services which are accessed by remote connections such as sshd or ftpd now include the  /etc/pam.d/password-
       auth configuration file instead of /etc/pam.d/system-auth.

EXAMPLE

       Configure  system  to  use  pam_tally2  for  configuration  of maximum number of failed logins. Also call pam_access to verify if access is
       allowed.

       Make system-auth symlink point to system-auth-local which contains:

       auth	       requisite       pam_access.so
       auth	       requisite       pam_tally2.so deny=3 lock_time=30 
					     unlock_time=3600
       auth	       include	       system-auth-ac
       account	       required        pam_tally2.so
       account	       include	       system-auth-ac
       password        include	       system-auth-ac
       session	       include	       system-auth-ac

BUGS

       None known.

SEE ALSO

       authconfig(8), authconfig-gtk(8), pam(8), system-auth(5)

Red Hat, Inc.							   2010 March 31						 SYSTEM-AUTH-AC(5)
All times are GMT -4. The time now is 03:55 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy