New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug in RSA key management - login possible with random RSA private key #1357

Closed
lewandowskim1988 opened this Issue Dec 24, 2018 · 8 comments

Comments

Projects
None yet
2 participants
@lewandowskim1988
Copy link

lewandowskim1988 commented Dec 24, 2018

What did you try to do?

I have installed privacyidea v2.23.3 from repo on Ubuntu 16 EC2 instance.
Setup admin account and low-privileged account for checking RSA key.
Next I have setup 5 users and create 5 new SSHkey token for them with RSA public key.

I want test my configuration so I have installed privacyideaadm 2.15.1 on test machine, fill up my /etc/privacyidea/authorizedkeyscommand with following content:

[Default]
url = https://my.privacyidea.server
admin = low_rights_admin
password = <<my_super_secret_password>>
nosslcheck = False

and /etc/ssh/sshd with two lines:

AuthorizedKeysCommand /usr/local/bin/privacyidea-authorizedkeys
AuthorizedKeysCommandUser ubuntu

After that I was able to successfully run privacyidea-authorizedkeys ubuntu and receive my public key from privacyidea server.

What outcome did you expect?

I have also think that now I be able to login only with my private RSA key that match public key uploaded to privacyidea server.

What outcome did you experience?

Instead I was able to login with any private RSA key.
I even manage to login with RSA file that I created via vim.

Configuration

  • privacyIDEA Version:
    2.23.3
  • Installation method:
    (from source, github, virtualenv, ubuntu packages...)
    Ubuntu packages

more details:

  • OS:
    Ubuntu 16.04.5 LTS

  • Webserver:
    nginx/1.10.3

  • Tokendatabase: (like MySQL, PostgreSQL, ...)
    RDS MySQL

  • Client machine
    Ubuntu 16 & 18

Log file

Turn on debug level and take a look at the privacyidea.log!
If appropriate, attach the log file.

@cornelinux

This comment has been minimized.

Copy link
Member

cornelinux commented Dec 27, 2018

I think there might be a misunderstanding with the ssh server here.

You did right, when running the command

privacyidea-authorizedkeys ubuntu

this command would be triggered by the sshd during a login attempt. ubuntu is the login name of the user who is currently trying to login in. If this command does only return the single SSH key, the ssh daemon also will only trust this single SSH key as far as privacyIDEA is concerned. All ssh keys, that are returned by this command will be allowed for login.

But note: that the ssh server still check the ~/.ssh/authoirzedkeys file! So if you have other keys in this file these will be allowed, too!

You may also check the audit log in privacyIDEA for the calls to machine/authitem/ssh (action).

One last note, but I think you are aware of this: The AuthorizedKeysCommandUser ubuntu user needs read access to the config /etc/privacyidea/authorizedkeyscommand.

@lewandowskim1988

This comment has been minimized.

Copy link

lewandowskim1988 commented Dec 27, 2018

Thanks for quick answer.
I am aware that ssh daemon also read ~/.ssh/authoirzedkeys and I removed all files from there so there is no possibility to authorize against anything else that privacyidea server.

All calls to machine/authitem/ssh end with response code 200.

ubuntu user have read access to /etc/privacyidea/authorizedkeyscommand config file.

Today I will try to test RSA key check against older version of privacyidea server.

@cornelinux

This comment has been minimized.

Copy link
Member

cornelinux commented Dec 27, 2018

Which keys are returned by the call to privacyidea-authorizedkeys ubuntu?

@lewandowskim1988

This comment has been minimized.

Copy link

lewandowskim1988 commented Dec 27, 2018

Command privacyidea-authorizedkeys ubuntu returned proper public key which I passed when creating new SSH token via privacyidea webgui.

@cornelinux

This comment has been minimized.

Copy link
Member

cornelinux commented Dec 27, 2018

You are logging in as user "ubuntu"?
If privacyIDEA only returns the single key, then there seems something wrong with the ssh setup.

@lewandowskim1988

This comment has been minimized.

Copy link

lewandowskim1988 commented Dec 27, 2018

Yes I am logging as ubuntu user with command ssh -i <<path to key>> ubuntu@<<ip of host>>
This is my /etc/ssh/sshd configuration file, I have removed comment lines:

Port 22
Protocol 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 1024

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

AuthorizedKeysCommand /usr/local/bin/privacyidea-authorizedkeys
AuthorizedKeysCommandUser ubuntu

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes
@cornelinux

This comment has been minimized.

Copy link
Member

cornelinux commented Dec 28, 2018

So to sum up: you configured privacyidea this way, that only the one correct pubkey is returned.
You configured the authorized keys command correctly. You say there are no other authorized_keys in the file.

But you can login with "other" private keys. Honestly, this realy sounds a bit strange to me, as if you were something missing.

I recommend the following:

  1. activate debug in ssh and check with the log file - probably auth.log

  2. Try to diversify your setup. Remove "AuthorizedKeysCommand" and check, if you can still login with the false private keys.

@lewandowskim1988

This comment has been minimized.

Copy link

lewandowskim1988 commented Dec 28, 2018

Sorry for false alarm.
My problem was caused by ssh-agent running my local machine and fetching RSA key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment