Impact
When Bareos Director >= 18.2 is build and configured for PAM authentication, it will skip authorization checks completely. Expired accounts and accounts with expired passwords can still login.
This problem will affect users that have PAM enabled. Currently there is no authorization (e.g. check for expired or disabled accounts), but only plain authentication (i.e. check if username and password match).
Patches
Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 implement the authorization check that was previously missing. All users using a PAM Console in Bareos Director should immediately upgrade to one of these versions and check that their PAM configuration works as desired.
Please note that the fix may break currently working PAM configuration! See the updated documentation on how to fix this.
Workarounds
The only workaround is to make sure that authentication fails if the user is not authorized. This may or may not be possible in your scenario.
References
For more information
If you have any questions or comments about this advisory:
Impact
When Bareos Director >= 18.2 is build and configured for PAM authentication, it will skip authorization checks completely. Expired accounts and accounts with expired passwords can still login.
This problem will affect users that have PAM enabled. Currently there is no authorization (e.g. check for expired or disabled accounts), but only plain authentication (i.e. check if username and password match).
Patches
Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 implement the authorization check that was previously missing. All users using a PAM Console in Bareos Director should immediately upgrade to one of these versions and check that their PAM configuration works as desired.
Please note that the fix may break currently working PAM configuration! See the updated documentation on how to fix this.
Workarounds
The only workaround is to make sure that authentication fails if the user is not authorized. This may or may not be possible in your scenario.
References
For more information
If you have any questions or comments about this advisory: