Add PAM authentication support #66
Conversation
|
On Thu, Mar 31, 2022 at 12:43:31AM -0700, Konrad Gräfe wrote:
Hello @cminyard ,
this PR addresses cminyard/gensio#26 . I think I was on the wrong track the whole time, since the certauth only collects the username and password but leaves the actual password verification to the server application. Therefore I figured this should be the place to PAM authentication into the application which is ser2net in our case. Also it is *a lot* less code to maintain.
You are mostly correct. certauth relies on something above it in the
stack for authentication, whether that's another gensio or the server
application. Either way will work.
It was, perhaps, a mistake on my part to do it the way it is now. It
might have been better to have written the ser2net authentication as a
gensio so it would be available to other users.
Currently I am not done yet. But I want to kindly ask for your opinion before going further in this direction as it's still our goal to merge this into mainline ser2net.
This is an ok direction, as things are now. I was hoping you would take
it and make it a layer, but that's a pretty big job. As you say, this
way is a lot less work.
A couple of notes:
You can steal the PAM password reading code from gtlsshd.c in gensio.
It's not very easy to do.
You don't change the certificate authentication. It's not very hard,
and you can steal the GENSIO_EVENT_AUTH_BEGIN handling code from
gtlsshd.c where it sets that authdir to the .gtlssh/allowed_certs
directory. I think users would appreciate certificate authentication,
it's more secure and they don't have to type passwords. Plus it will
still do standard ser2net certificate authentication if you don't change
it.
This means that ser2net must run as root. That's not ideal, but it's a
consequence of using PAM.
You will need to add documentatation for pamauth, along with your other
TODOs.
…-corey
### Test setup
#### Server
```sh
❯ cat ser2net.yaml
connection: &test-server
accepter: certauth(enable-password),ssl(key=ser2net.key,cert=ser2net.crt),tcp,2013
connector: serialdev,/dev/serial/by-id/usb-FTDI_TTL232R-3V3_FTASU5TK-if00-port0,115200N81
options:
banner: ser2net Echo Server\r\n
mdns: false
authdir: .
pamauth: true
❯ cat pam.d/other
auth required /usr/lib/x86_64-linux-gnu/pam_wrapper/pam_matrix.so passdb=/data/projects/ser2net-pam/ser2net-test/pam.d/passdb
account required /usr/lib/x86_64-linux-gnu/pam_wrapper/pam_matrix.so passdb=/data/projects/ser2net-pam/ser2net-test/pam.d/passdb
password required /usr/lib/x86_64-linux-gnu/pam_wrapper/pam_matrix.so passdb=/data/projects/ser2net-pam/ser2net-test/pam.d/passdb
session required /usr/lib/x86_64-linux-gnu/pam_wrapper/pam_matrix.so passdb=/data/projects/ser2net-pam/ser2net-test/pam.d/passdb
❯ cat pam.d/passdb
bob:secret:ser2net
❯ LD_PRELOAD=libpam_wrapper.so PAM_WRAPPER=1 PAM_WRAPPER_SERVICE_DIR=$PWD/pam.d ser2net -d -c ./ser2net.yaml
Unable to start mdns: Operation not supported
```
#### Client
```sh
❯ gtlssh -p 2013 --cadir . --nomux ***@***.***
Password: secret
ser2net Echo Server
embedded device login:
```
### TODO
- [ ] Fix TODOs
- [ ] Add conditional to build without PAM support
You can view, comment on, or merge this pull request online at:
#66
-- Commit Summary --
* WIP: Add PAM support
-- File Changes --
M auth.c (93)
M configure.ac (2)
M controller.c (8)
M defaults.c (1)
M port.c (4)
M port.h (3)
M portconfig.c (2)
M rotator.c (7)
M ser2net.h (2)
-- Patch Links --
https://github.com/cminyard/ser2net/pull/66.patch
https://github.com/cminyard/ser2net/pull/66.diff
--
Reply to this email directly or view it on GitHub:
#66
You are receiving this because you were mentioned.
Message ID: ***@***.***>
|
|
PAM authentication works without root permissions (I'm on Ubuntu 20.04). |
In our scenario the user authenticates against a RADIUS server via PAM to gain access to the TTY. In that case the user does not exist locally and has no home directory on the device (nor does he need to). |
|
On Fri, Apr 08, 2022 at 05:25:42AM -0700, Konrad Gräfe wrote:
> You don't change the certificate authentication. It's not very hard, and you can steal the GENSIO_EVENT_AUTH_BEGIN handling code from gtlsshd.c where it sets that authdir to the .gtlssh/allowed_certs directory. I think users would appreciate certificate authentication, it's more secure and they don't have to type passwords. Plus it will still do standard ser2net certificate authentication if you don't change it.
In our scenario the user authenticates against a RADIUS server via PAM to gain access to the TTY. In that case he does not exist locally and has no home directory on device.
Ah, that's why you don't need root. You can't open /etc/shadow without
privilege.
Ok, that's fine.
…--corey
|
konradgraefe
force-pushed
the
pam
branch
2 times, most recently
from
5b13270
to
f9e3358
Compare
|
@cminyard I think I addressed all open points. I also changed |
|
Debian maintainer of the program here. Is there documentation about PAM support, and a suggested file for /etc/pam.d included? Or will ser2net continue to function without? |
|
(wrong account, sorry for the noise) |
I documented how to enable PAM support and set the PAM service name.
No, because that depends on your use case. Also it's not needed as PAM would use Our use case is to authenticate against a RADIUS server, so we would use:
Yes. PAM authentication is disabled by default. You need to set |
|
A few comments: You need: as resp may not be set. Is it possible to use both pam authentication and authdir authentication at the same time? That way you could use passwords from PAM and certificates from authdir. The documentation you've written (well, modified) says that it works that way, but the code won't. That should probably return PAM_CONV_ERR or perhaps PAM_AUTHINFO_UNAVAIL (or PAM_CRED_UNAVAIL? It's kind of unclear what to return here.). Other than those, this looks good. |
See free(3p):
I will look into this, thanks.
|
|
According to pam_conv(3) we should return either |
I just verified that certificate authentication through certauth still works with pamauth enabled. What makes you think it doesn't? It takes place before the password authentication and is not touched by this PR. |
|
On Fri, Apr 22, 2022 at 02:07:21AM -0700, Konrad Gräfe wrote:
> Is it possible to use both pam authentication and authdir authentication at the same time? That way you could use passwords from PAM and certificates from authdir. The documentation you've written (well, modified) says that it works that way, but the code won't.
I just verified that certificate authentication through certauth still works with pamauth enabled. What makes you think it doesn't? It takes place before the password authentication and is not touched by this PR.
Ah, yeah, PAM will disable password support in authdir, but certificates
will still work. That's probably fine, but should be documented.
|
Signed-off-by: Konrad Gräfe <k.graefe@gateware.de>
|
I think I addressed all comments. Please come back to me if I've overseen something or if you find more issues |
|
Ok, this is merged. Thank you. |
|
Great, thank you. |
|
On Wed, Apr 20, 2022 at 05:45:35AM -0700, Konrad Gräfe wrote:
> A few comments:
>
> * ```
> for (i = 0; i < num_msg; i++) {
> ```
>
> * ```
> free(resp[i].resp);
> ```
>
> * ```
> }
> ```
>
>
> You need: if (resp[i].resp) free(...) as resp may not be set.
See [free(3p)](https://man7.org/linux/man-pages/man3/free.3p.html): `If ptr is a null pointer, no action shall occur.`
`calloc()` initializes all fields to zero resp. `NULL` and `free()` happily accepts `NULL`. So it would be less code to read and maintain. :-) However, if you prefer an additional guard I won't lose sleep over it.
ser2net runs on a lot of things that aren't Linux (or Posix, or current
Posix). I have no idea what other systems do here, so I would prefer to
be a little more conservative. It's probably ok, but there are a lot of
opinions on the matter, it turns out.
|
|
POSIX agrees: https://pubs.opengroup.org/onlinepubs/9699919799/functions/free.html ;-) and according to POSIX the C standard also agrees: |
Hello @cminyard ,
this PR addresses cminyard/gensio#26 . I think I was on the wrong track the whole time, since the certauth only collects the username and password but leaves the actual password verification to the server application. Therefore I figured this should be the place to PAM authentication into the application which is ser2net in our case. Also it is a lot less code to maintain.
Currently I am not done yet. But I want to kindly ask for your opinion before going further in this direction as it's still our goal to merge this into mainline ser2net.
Test setup
Server
Client
❯ gtlssh -p 2013 --cadir . --nomux bob@localhost Password: secret ser2net Echo Server embedded device login:TODO