I've got a problem with a proxy configuration. We have an LDAP group that lists all users who are authorised to use the proxy to FTP (usually Filezilla) out to the world, and by implication those not in the group should be denied. My users are delighted that this has been enabled and those that wish to get out can do so, however we're not stopping anyone not in the group (and therefore not authorised)
We found this out because I'm not authorised but whilst troubleshooting for a user I connected out no problem. That ended up being a user password problem, so they failed the LDAP check and so PAM prevented the connection.
I haven't got a test server so I will have to get a slot outside business hours (which will be a nightmare in itself) to try out my thoughts but I wanted to sanity check it first. The server is running CentOS The proxy server is SOCKS in /usr/sbin/ss5 and running as the root user.
My suspicion is about the PAM file, /etc/pam.d/ss5 and the way it has been set up. We have this:-
Code:
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
auth required pam_wheel.so use_uid group=SocksUsers
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
My theory is that the line defining the allowed group also includes the use_uid option and given that the ss5 daemon is running as the super-user everyone is automatically authenticated. There is a proxy authentication required, but messages is /var/log/secure give me this when I authenticate to the proxy correctly and give invalid credentials to an internet-based FTP site:-
Code:
Nov 28 15:03:14 gateway-b ss5: pam_unix(ss5:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=donald.trump
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): getting password (0x00000008)
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): pam_get_item returned a password
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): user 'donald.trump' granted access
Yes, some Windoze joker created me a test account with that name. Sorry about that. No political persuasion inferred, naturally - I'm British after all.
Before I try to get a slot, does anyone want to contradict my theory? I'd be grateful for avoiding unnecessary effort if I've gone off on the wrong track.
I have a list of ip socks / port(eg: 192.168.0.1 80). I would like to write a bash to test automatically these addresses in a loop with firefox. The problem is that firefox process stays alive even when firefox does not work because of wrong network settings. So I want to kill the process when the... (3 Replies)
Hello, i setup an open socks proxy on my remote vps:
ssh -f -N -D 0.0.0.0:1080 localhost
and then allowed only connections from IP of my home computer
iptables -A INPUT --src myhomeip -p tcp --dport 1080 -j ACCEPT
iptables -A INPUT -p tcp --dport 1080 -j REJECT
but it appears that im... (3 Replies)
This is a weird problem. Following is my code.
/opt/quest/bin/vastool configure pam sshd
/opt/quest/bin/vastool configure pam ssh
cat /etc/pam.conf | \
awk '$1=="ssh"||$1=="sshd"||$1=="emagent"{sub("prohibit","aix",$NF);}1' OFS='\t' > /etc/pam.conf
cat /etc/ssh/sshd_config | \
sed -e... (2 Replies)
Hello all,
I am trying to configure squid proxy server for different organizations. These organizations will have different blocked ports, different acls, etc. But, I can use only one proxy server for this purpose. Thinking of making a shell script with iptables and squid.
For an example: a... (1 Reply)
Can any one direct me to the resources where I can find in-depth instructions on Squid Proxy server and its configuration?
Thanks in advance.:) (1 Reply)
Hi,
I've configured two linux boxes to authenticate against Windows Active Directory using Kerberos while retrieving authorization data (uids, gids ,,,)from NIS.
The problem I ran into with my PAM configuration is that all authentication attempts succeed in order.i.e. if someone tried his... (0 Replies)
i have the DNS and the web proxy services running on one of my sun machines....the funny thing is clients use the proxy server by addressing it with its IP address only....what i need is to assign it like...proxy.amu.edu.et......
my guess is the problem is the configuration with the DNS ...but i... (2 Replies)
Hi.
i am on solaris. I have changed pam configuration. Do i need to let pam re-read its configuration again? If so, how can i do it?
ps -ef | grep -i pam, returns no hits.
Rgds (0 Replies)
I have suse (SLES 9) machine,I would like to know how to creat a PAM
configure file for ldap authentication and loading it using a "config"
argument to pam_ldap.so
Thanks for your help (0 Replies)
