SOCKS proxy & PAM configuration exposure


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users SOCKS proxy & PAM configuration exposure
# 1  
Old 11-28-2016
SOCKS proxy & PAM configuration exposure

I've got a problem with a proxy configuration. We have an LDAP group that lists all users who are authorised to use the proxy to FTP (usually Filezilla) out to the world, and by implication those not in the group should be denied. My users are delighted that this has been enabled and those that wish to get out can do so, however we're not stopping anyone not in the group (and therefore not authorised)

We found this out because I'm not authorised but whilst troubleshooting for a user I connected out no problem. That ended up being a user password problem, so they failed the LDAP check and so PAM prevented the connection.

I haven't got a test server so I will have to get a slot outside business hours (which will be a nightmare in itself) to try out my thoughts but I wanted to sanity check it first. The server is running CentOS The proxy server is SOCKS in /usr/sbin/ss5 and running as the root user.

My suspicion is about the PAM file, /etc/pam.d/ss5 and the way it has been set up. We have this:-
Code:
#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
auth       required     pam_wheel.so use_uid group=SocksUsers
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

My theory is that the line defining the allowed group also includes the use_uid option and given that the ss5 daemon is running as the super-user everyone is automatically authenticated. There is a proxy authentication required, but messages is /var/log/secure give me this when I authenticate to the proxy correctly and give invalid credentials to an internet-based FTP site:-
Code:
Nov 28 15:03:14 gateway-b ss5: pam_unix(ss5:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=donald.trump
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): getting password (0x00000008)
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): pam_get_item returned a password
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): user 'donald.trump' granted access

Yes, some Windoze joker created me a test account with that name. Sorry about that. No political persuasion inferred, naturally - I'm British after all.


Before I try to get a slot, does anyone want to contradict my theory? I'd be grateful for avoiding unnecessary effort if I've gone off on the wrong track.



Many thanks, in advance,
Robin
# 2  
Old 11-29-2016
Hi Robin,

What is in /etc/pam.d/system-auth ?
# 3  
Old 11-30-2016
The content of /etc/pam.d/system-auth is below:-
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so try_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     required      pam_access.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


Have we done something really bad? Well, I suppose it's bad enough to allow anyone with a valid account Smilie

I know it's designed to be flexible and allow applications to abstract the authentication/authorisation etc. , but it is very confusing!

Apologies,
Robin
# 4  
Old 12-06-2016
So, limited testing options have just left me with the theory unless anyone can suggest how I could set up a couple of servers to match. Basically, no there servers have access to the public internet, so I'm a bit stuck how I can do this without asking the network people to expose my test server to the public side - and that's another headache all together.

Am I missing something simple? I'm concerned to prove to myself that I would actually drive through a proxy to a dummy sftp server I can set up internally.


Robin - very confused
Smilie Smilie Smilie Smilie Smilie Smilie Smilie
# 5  
Old 12-06-2016
Hi Robin. Try putting
Code:
auth       required     pam_wheel.so use_uid group=SocksUsers

above:
Code:
auth       include      system-auth

Otherwise if
Code:
auth        sufficient    pam_winbind.so try_first_pass

succeeds, then no further modules will be called in the pam_stack..

Code:
       sufficient
           if such a module succeeds and no prior required module has failed the PAM framework returns success to the application or to the superior PAM stack immediately
           without calling any further modules in the stack. A failure of a sufficient module is ignored and processing of the PAM module stack continues unaffected.

https://www.unix.com/man-pages.php?qu...on=5&os=centos

Last edited by Scrutinizer; 12-06-2016 at 02:37 PM..
These 2 Users Gave Thanks to Scrutinizer For This Post:
# 6  
Old 12-07-2016
Thanks for the suggestion. I'd tried to read the manual pages but got rather goggle-eyed, so it is now smack-in-the-face obvious that we've got the order wrong.

I feel a fool for not spotting it Smilie

Mind you, I didn't do it in the first place, so it's not too bad. Smilie



I will see if I can get this put in sometime and report back.



Kind regards,
Robin
# 7  
Old 01-03-2017
Thanks for the pointers. I am pleased to report that we have changed /etc/pam.d/ss5 from this:-
Code:
#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
auth       required     pam_wheel.so use_uid group=SocksUsers
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

.... to this (grouping all the auth statements together too):-
Code:
#%PAM-1.0
auth       requisite	pam_succeed_if.so debug user ingroup socksusers
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

When we moved the rule up the order before the include statement, the use_uid meant that the rules were being applied to the account running the code, not the connecting user, i.e. it was testing the single account root for every connection.

Notes:-
  • I've set this to be requisite to just exit if the account does not have the required group.
  • I found that pam_succeed_if.so gave me the debug option for logging.
  • The pam_succeed_if.so also can be extended if multiple acceptance criteria were required.
  • The group appears to be case-insensitive, but shows as all lower case when running something like id rbatte1 | sed 's/) /)\n/g ; s/,/\n/g' | sort -nk1,1.5

I hope that this might be useful to someone else.


Robin
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Proxy socks tester issue

I have a list of ip socks / port(eg: 192.168.0.1 80). I would like to write a bash to test automatically these addresses in a loop with firefox. The problem is that firefox process stays alive even when firefox does not work because of wrong network settings. So I want to kill the process when the... (3 Replies)
Discussion started by: arpagon
3 Replies

2. UNIX for Dummies Questions & Answers

Can't connect through ssh socks proxy to certain sites

Hello, i setup an open socks proxy on my remote vps: ssh -f -N -D 0.0.0.0:1080 localhost and then allowed only connections from IP of my home computer iptables -A INPUT --src myhomeip -p tcp --dport 1080 -j ACCEPT iptables -A INPUT -p tcp --dport 1080 -j REJECT but it appears that im... (3 Replies)
Discussion started by: postcd
3 Replies

3. Shell Programming and Scripting

AIX pam ssh/sshd configuration not allowing sed or awk

This is a weird problem. Following is my code. /opt/quest/bin/vastool configure pam sshd /opt/quest/bin/vastool configure pam ssh cat /etc/pam.conf | \ awk '$1=="ssh"||$1=="sshd"||$1=="emagent"{sub("prohibit","aix",$NF);}1' OFS='\t' > /etc/pam.conf cat /etc/ssh/sshd_config | \ sed -e... (2 Replies)
Discussion started by: pjeedu2247
2 Replies

4. UNIX for Advanced & Expert Users

Squid Dynamic Proxy Server Configuration

Hello all, I am trying to configure squid proxy server for different organizations. These organizations will have different blocked ports, different acls, etc. But, I can use only one proxy server for this purpose. Thinking of making a shell script with iptables and squid. For an example: a... (1 Reply)
Discussion started by: admin_xor
1 Replies

5. IP Networking

SQUID Proxy server configuration

Can any one direct me to the resources where I can find in-depth instructions on Squid Proxy server and its configuration? Thanks in advance.:) (1 Reply)
Discussion started by: admin_xor
1 Replies

6. Red Hat

PAM configuration: Kerberos authentication and NIS authorization problem

Hi, I've configured two linux boxes to authenticate against Windows Active Directory using Kerberos while retrieving authorization data (uids, gids ,,,)from NIS. The problem I ran into with my PAM configuration is that all authentication attempts succeed in order.i.e. if someone tried his... (0 Replies)
Discussion started by: geek.ksa
0 Replies

7. IP Networking

proxy DNS configuration

i have the DNS and the web proxy services running on one of my sun machines....the funny thing is clients use the proxy server by addressing it with its IP address only....what i need is to assign it like...proxy.amu.edu.et...... my guess is the problem is the configuration with the DNS ...but i... (2 Replies)
Discussion started by: henokia4j
2 Replies

8. UNIX for Dummies Questions & Answers

reread pam configuration

Hi. i am on solaris. I have changed pam configuration. Do i need to let pam re-read its configuration again? If so, how can i do it? ps -ef | grep -i pam, returns no hits. Rgds (0 Replies)
Discussion started by: yls177
0 Replies

9. UNIX for Advanced & Expert Users

Pam configuration

I have suse (SLES 9) machine,I would like to know how to creat a PAM configure file for ldap authentication and loading it using a "config" argument to pam_ldap.so Thanks for your help (0 Replies)
Discussion started by: hassan1
0 Replies
Login or Register to Ask a Question