I am working on a radius authentication solution composed of a PAM module and an NSS module.
The flow is like this:
ben
login (via the login
command)ben
radius
, same behavior as libnss-ato
ben
-> admin
login
command, the user is logged at the proper mapped user admin
Now, my problem is as follow. OpenSSH server will read NSS before PAM.
This means the flow is like this:
ben
ssh inben
to the default account radius
ben
-> admin
cachedradius
instead of admin
because it uses the value it got from NSS before PAM was calledNow this bug happens only on first login, because on second login the NSS will have cached data and return correct user on first call.
But it is still a problem, firstly because I don't want the first login to fall to the wrong user each time, second if ben
got admin rights dropped, his next login will still be mapped to admin by SSH because of NSS cache of my NSS module.
I cannot query the mapping on the first NSS call because querying mapping from radius requires a successful login.
I have a few leads, but I'd really love some insight on this issue.
My leads are:
radius
user use a special root setuid shell, this shell would read the my NSS database and change user, then exec the real shell, the problem is that I need to know which radius user is logged in. I can write env var in my PAM module, but as the shell will be setuid, I need a security mechanism to ensure that var is trusted. Only thing I see is to have a crypto signature in the var, and have the setuid shell verify that with a private key in root 0600.setuid
in the PAM module, but that's sound fishyI ended up changing the shell for the user to a setuid wrapper that drop privileges to the intended user.
Code is here: https://github.com/kuon/radius-auth-virtual
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With