pam: add pam_sss_gss module for gssapi authentication #5367
Conversation
pbrezina
force-pushed
the
gssapi
branch
2 times, most recently
from
7570194
to
39522e0
Compare
|
(I plan to review this once CI passes.) |
|
Thank you. Tests pass, rhel7 and rhel8 failures are not related (infrastructure issues). |
|
I have started review though this is large and will take a bit. Though on that subject: this is a fairly sizable change, and I don't see anything in the way of tests for it. Have I missed something? |
| gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; | ||
| gss_buffer_desc input = GSS_C_EMPTY_BUFFER; | ||
| gss_buffer_desc output = GSS_C_EMPTY_BUFFER; | ||
| OM_uint32 flags = GSS_C_MUTUAL_FLAG; |
There was a problem hiding this comment.
Can you be more specific?
There was a problem hiding this comment.
You hardcoded just the mutual flag in two places. This is an odd choice of flags, so I was hoping you could explain why you were doing this in the code. (And then we'll figure out if it's right or not :).)
We don't currently have framework that would allow to test this. But this is going to change soon so tests will be added later, possibly by QA. |
|
Pathes were updated. |
|
Github hide lots of "conversations" from me so there are many unsolved issues so the patches are not yet ready to be reviewed again. |
Okay, just ping me when you want another review and I'll take a look. |
|
It's ready for next round. The remaining question is about the proper flag for gssapi otherwise I answered or resolved everything. The issues were mostly cosmetic since we seem to have different coding habits, but since it does not break SSSD's coding style I respected your suggestions. |
| { | ||
| char **list = pam_ctx->gssapi_services; | ||
|
|
||
| if (domain->gssapi_services != NULL) { |
There was a problem hiding this comment.
Hi,
what about sub-domains? I guess if there is no sub-domain specific setting it would be reasonable to check the parent first before falling back to the pam responder setting?
bye,
Sumit
There was a problem hiding this comment.
Do you thing it would be useful to allow inheritance of this option and its explicit configuration per subdomain?
There was a problem hiding this comment.
Hi,
I was more thinking about what would be expected. E.g. if you join your client to an AD domain which is part of a forest and set pam_gssapi_services in the [domain/...] section my expectation would be that it works for users from other domains in the forest as well.
With inheritance enabled it would be a bit odd to disable the feature for a sub-domain because you have to use pam_gssapi_services = NotExistingServiceName since iirc we cannot handle empty values correctly.
But currently if you want to allow sub-domain user you have to add pam_gssapi_services to the [pam] section which enables it globally. So if you prefer to avoid inheritance I'm fine with only sub-domain specific configuration, but it should be explained in the man page that domain-specific settings must be set for each domain, including sub-domains, individually.
bye,
Sumit
|
Hi, while testing this PR it looks like If this is currently and expected limitation it should be documented in the man page.. bye, |
Hmm, nice catch. Unfortunately sudo resets the environment before PAM invocation so KRB5CCNAME is not available for the PAM module. It can be made available by adding it to env_keep in /etc/sudoers but this will also make it available in the called process and this is probably not what we want so we will have to patch sudo to keep this variable for PAM. I'll ask sudo upstream what are our options. However, even if the variable is available, gssapi uses the default location: @frozencemetery Is there any gssapi call I should call to make it use this variable? |
|
You can pass |
Hi, this is during authentication and at this stage the enviroment is not cleaned up. If I use so I guess HTH bye, |
|
No, if I put getenv directly in the module it is empty unless it is whitelisted in env_keep. |
Ok, thanks, good to know that /proc/PID/environ might not contain the current state. Nevertheless I think it would be good to try getenv() first and use the ccache from the environment if set and only fall back to the default otherwise. bye, |
|
KRB5CCNAME is now respected, if it is set in env_keep in sudoers (or ldap rules). And I asked sudo-workers to see if we can make it available to PAM only. I also updated the manpage. |
Thanks, it is working fine now. I would suggest to mention While testing I came across a behavior which can be a bug or a feature and we should decide how to handle and/or document it. Currently authentication will be successful if you have a TGT in the credential cache which can be used to successfully request a host ticket. This TGT does not have to be associated with the user calling A related item are ccache types which can handle multiple TGTs. Currently the 'active' TGT is used and if the PAM responder would check if the principal matches the user bye, |
|
Please, see new changes.
|
|
Hi, thanks for the updates, all my tests are working well. There is a missing I like the idea using bye, |
config.h is required for the definitions to work correctly. Compilation will fail if sss_format.h is included in a file that does not include directly or indirectly config.h
:config: Added `pam_gssapi_services` to list PAM services that can authenticate using GSSAPI
:config: Added `pam_gssapi_check_upn` to enforce authentication only with principal that can be associated with target user.
:feature: New PAM module `pam_sss_gss` for authentication using GSSAPI :packaging: Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page
|
Thank you. Here's a diff: diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml
index d4bb705e3..ce5b11bff 100644
--- a/src/man/pam_sss_gss.8.xml
+++ b/src/man/pam_sss_gss.8.xml
@@ -46,6 +46,7 @@
already present in the Kerberos credentials cache or if user's
ticket granting ticket can be used to get the correct service ticket
then the user will be authenticated.
+ </para>
<para>
If <option>pam_gssapi_check_upn</option> is True (default) then SSSD
requires that the credentials used to obtain the service tickets can
@@ -183,9 +184,18 @@ auth sufficient pam_sss_gss.so
<option>[domain_realm]</option> in /etc/krb5.conf like so:
</para>
<para>
- 2. Authentication does not work and syslog contains "Can't find
- client principal $NAME in cache collection": Try to kinit with the
- required principal name.
+ 3. Authentication does not work and syslog contains "No Kerberos
+ credentials available": You don't have any credentials that can be
+ used to obtain the required service ticket. Use kinit or autheticate
+ over SSSD to acquire those credentials.
+ </para>
+ <para>
+ 4. Authentication does not work and SSSD sssd-pam log contains "User
+ with UPN [$UPN] was not found." or "UPN [$UPN] does not match target
+ user [$username].": You are using credentials that can not be mapped
+ to the user that is being authenticated. Try to use kswitch to
+ select different principal, make sure you authenticated with SSSD or
+ consider disabling <option>pam_gssapi_check_upn</option>.
</para>
<programlisting>
[domain_realm]
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 69cd4c3a1..d637e2eaa 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1712,8 +1712,11 @@ p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
<para>
Comma separated list of PAM services that are
allowed to try GSSAPI authentication using
- pam_sss_gss.so module. This option can be also set
- in domain section.
+ pam_sss_gss.so module.
+ </para>
+ <para>
+ To disable GSSAPI authentication, set this option
+ to <quote>-</quote> (dash).
</para>
<para>
Note: This option can also be set per-domain which
|
|
Hi, thanks for your patience, ACK. I will set the label when the CI checks are done. bye, |
|
Hai, So cockpit's perspective to this patch as I understand it: Cockpit would build an s4u ccache using gssapi. This means that the ccache we'd use has the target user as the client principal (so not the cockpit principal building the cache). As far as I understand that means calling That said we would not have a TGT for that user, the way s4u works means we'd just have tickets for specific services, in this case the sudo service. But I think that should be fine, as in a "normal" scenario you'd just use that TGT to get a ticket for the sudo service. Having this option on by default where that client principal needs to match a local user makes sense to me, as I think that's the scenario cockpit would fall under. Cockpit would ssh into a machine with a host ticket, and then escalate using the sudo service ticket, only for that specific user. So I think this should be fine, and gets an ACK from our side :) |
|
The rawhide failure is expected and the rhel8 failure is due to an issue in the CI runner. |
sumit-bose
added
Accepted
Ready to push
|
Pushed PR: #5367
|
The module configuration and usage should be clear
from its manual page. Suggestions are welcome.
The main use case is to enable password-less authentication
for sudo where smartcards are not possible (because the
reader is not available in the target host).
It is not possible to set the service name or keytab at this
moment so the module relies on
host/hostname@REALMwhere hostnameis provided by SSSD (based on the user's domain) and REALM
is determined by GSSAPI. This principal is already stored in
krb5_keytab location for IPA and AD providers so the functionality
is for free.
Because authorization is done by pam_sss and it is not needed
for the use case, I would implement configurable ticket names
and keytab location only when required by users.