Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: SOCKS proxy & PAM configuration exposure
Top Forums UNIX for Advanced & Expert Users SOCKS proxy & PAM configuration exposure Post 302988819 by rbatte1 on Tuesday 3rd of January 2017 09:49:49 AM
Old 01-03-2017
Thanks for the pointers. I am pleased to report that we have changed /etc/pam.d/ss5 from this:-
Code:
#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
auth       required     pam_wheel.so use_uid group=SocksUsers
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

.... to this (grouping all the auth statements together too):-
Code:
#%PAM-1.0
auth       requisite	pam_succeed_if.so debug user ingroup socksusers
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

When we moved the rule up the order before the include statement, the use_uid meant that the rules were being applied to the account running the code, not the connecting user, i.e. it was testing the single account root for every connection.

Notes:-
  • I've set this to be requisite to just exit if the account does not have the required group.
  • I found that pam_succeed_if.so gave me the debug option for logging.
  • The pam_succeed_if.so also can be extended if multiple acceptance criteria were required.
  • The group appears to be case-insensitive, but shows as all lower case when running something like id rbatte1 | sed 's/) /)\n/g ; s/,/\n/g' | sort -nk1,1.5

I hope that this might be useful to someone else.


Robin
 

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Pam configuration

I have suse (SLES 9) machine,I would like to know how to creat a PAM configure file for ldap authentication and loading it using a "config" argument to pam_ldap.so Thanks for your help (0 Replies)
Discussion started by: hassan1
0 Replies

2. UNIX for Dummies Questions & Answers

reread pam configuration

Hi. i am on solaris. I have changed pam configuration. Do i need to let pam re-read its configuration again? If so, how can i do it? ps -ef | grep -i pam, returns no hits. Rgds (0 Replies)
Discussion started by: yls177
0 Replies

3. IP Networking

proxy DNS configuration

i have the DNS and the web proxy services running on one of my sun machines....the funny thing is clients use the proxy server by addressing it with its IP address only....what i need is to assign it like...proxy.amu.edu.et...... my guess is the problem is the configuration with the DNS ...but i... (2 Replies)
Discussion started by: henokia4j
2 Replies

4. Red Hat

PAM configuration: Kerberos authentication and NIS authorization problem

Hi, I've configured two linux boxes to authenticate against Windows Active Directory using Kerberos while retrieving authorization data (uids, gids ,,,)from NIS. The problem I ran into with my PAM configuration is that all authentication attempts succeed in order.i.e. if someone tried his... (0 Replies)
Discussion started by: geek.ksa
0 Replies

5. IP Networking

SQUID Proxy server configuration

Can any one direct me to the resources where I can find in-depth instructions on Squid Proxy server and its configuration? Thanks in advance.:) (1 Reply)
Discussion started by: admin_xor
1 Replies

6. UNIX for Advanced & Expert Users

Squid Dynamic Proxy Server Configuration

Hello all, I am trying to configure squid proxy server for different organizations. These organizations will have different blocked ports, different acls, etc. But, I can use only one proxy server for this purpose. Thinking of making a shell script with iptables and squid. For an example: a... (1 Reply)
Discussion started by: admin_xor
1 Replies

7. Shell Programming and Scripting

AIX pam ssh/sshd configuration not allowing sed or awk

This is a weird problem. Following is my code. /opt/quest/bin/vastool configure pam sshd /opt/quest/bin/vastool configure pam ssh cat /etc/pam.conf | \ awk '$1=="ssh"||$1=="sshd"||$1=="emagent"{sub("prohibit","aix",$NF);}1' OFS='\t' > /etc/pam.conf cat /etc/ssh/sshd_config | \ sed -e... (2 Replies)
Discussion started by: pjeedu2247
2 Replies

8. UNIX for Dummies Questions & Answers

Can't connect through ssh socks proxy to certain sites

Hello, i setup an open socks proxy on my remote vps: ssh -f -N -D 0.0.0.0:1080 localhost and then allowed only connections from IP of my home computer iptables -A INPUT --src myhomeip -p tcp --dport 1080 -j ACCEPT iptables -A INPUT -p tcp --dport 1080 -j REJECT but it appears that im... (3 Replies)
Discussion started by: postcd
3 Replies

9. Shell Programming and Scripting

Proxy socks tester issue

I have a list of ip socks / port(eg: 192.168.0.1 80). I would like to write a bash to test automatically these addresses in a loop with firefox. The problem is that firefox process stays alive even when firefox does not work because of wrong network settings. So I want to kill the process when the... (3 Replies)
Discussion started by: arpagon
3 Replies

LEARN ABOUT FREEBSD

pam_ldap

pam_ldap(8)						      System Manager's Manual						       pam_ldap(8)

NAME

       pam_ldap - PAM module for LDAP-based authentication

SYNOPSIS

       pam_ldap.so [...]

DESCRIPTION

       This is a PAM module that uses an LDAP server to verify user access rights and credentials.

OPTIONS

       use_first_pass
	      Specifies that the PAM module should use the first password provided in the authentication stack and not prompt the user for a pass-
	      word.

       try_first_pass
	      Specifies that the PAM module should use the first password provided in the authentication stack and if that fails prompt  the  user
	      for a password.

       nullok Specifying this option allows users to log in with a blank password.  Normally logins without a password are denied.

       ignore_unknown_user
	      Specifies  that  the  PAM module should return PAM_IGNORE for users that are not present in the LDAP directory.  This causes the PAM
	      framework to ignore this module.

       ignore_authinfo_unavail
	      Specifies that the PAM module should return PAM_IGNORE if it cannot contact the LDAP server.  This causes the PAM framework  to  ig-
	      nore this module.

       no_warn
	      Specifies that warning messages should not be propagated to the PAM application.

       use_authtok
	      This  causes the PAM module to use the earlier provided password when changing the password. The module will not prompt the user for
	      a new password (it is analogous to use_first_pass).

       debug  This option causes the PAM module to log debugging information to syslog(3).

       minimum_uid=UID
	      This option causes the PAM module to ignore the user if the user id is lower than the specified value. This can be  used	to  bypass
	      LDAP checks for system users (e.g. by setting it to 1000).

MODULE SERVICES PROVIDED

       All services are provided by this module but currently sessions changes are not implemented in the nslcd daemon.

FILES

       /etc/pam.conf
	      the main PAM configuration file

       /etc/nslcd.conf
	      The configuration file for the nslcd daemon (see nslcd.conf(5))

SEE ALSO

       pam.conf(5), nslcd(8), nslcd.conf(5)

AUTHOR

       This manual was written by Arthur de Jong <arthur@arthurdejong.org>.

Version 0.8.10							     Jun 2012							       pam_ldap(8)
All times are GMT -4. The time now is 08:33 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy