Re: [Tigervnc-devel] PAM only works for local stored passwords
Hi, On 02/25/2011 11:16 PM, Martin Koegler wrote: On Fri, Feb 25, 2011 at 09:52:48AM +0100, Sebastiaan Breedveld wrote: Unfortunately, the radius configuration file contains a sectret string to authenticate against the Radius server, so it should not be world readable. I was actually under the impression that PAM is a query-service run as root: how else can a user be capable of obtaining root privellages by using su? Apparantly it works differently. Anyway, is there any way to make a construction to authenticate against a module with root-only readable configuration file as a normal user? (different than inetd/xdm, which does not have the features I need for this group of users). First, I would not set Xvnc setuid root - Xvnc is not written for such case. I would not be surprised, if such a setup can be used by a user to gain elevated privileges. If you really need such a setup, I would create a new radiusauth group, make the conf files group readable [maybe even with setfacl, if the normal group can not be changed] and make Xvnc setgid for this group [It can be possible, that you need to add calls to setregid to swap the gids]. In this setup, a user at most only get a copy of the radius conf files. A better solution would be to look for an pam module, which does not require extended privileges. Search, if there are pam modules authenticating against other services, which use your radius server - or pam modules which pass the autentification to a root owned daemon (sssd?). Regards, Martin Kögler It seems that the sssd is the only correct approach. I have not heard of this project before but looks interesting. I will look into it later. Thanks! Sebastiaan -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
Re: [Tigervnc-devel] PAM only works for local stored passwords
On 2/25/11 2:13 AM, Martin Koegler wrote: The problem is, that some pam modules react differently, if they are invoked by root or a normal user. The debian pam_unix eg. let normal users only verify their own password and fails on any other user name. Other modules like pam_krb5, (also pam_ldap?) allow a normal user to verify the password of any user. I've observed this in some versions of Linux as well, but it can be worked around by making Xvnc setuid root. -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
Re: [Tigervnc-devel] PAM only works for local stored passwords
Hi, On 02/25/2011 09:13 AM, Martin Koegler wrote: tigervnc currently only uses the auth section - account, session and password are ignored. Xvnc simply passes username password to pam and waits for the result. I have tested it for example with the pam_krb5 module successfully. The problem is, that some pam modules react differently, if they are invoked by root or a normal user. The debian pam_unix eg. let normal users only verify their own password and fails on any other user name. Other modules like pam_krb5, (also pam_ldap?) allow a normal user to verify the password of any user. I would check, if your pam_radius_auth has any config/data file, which are only root accessible. If that is the case, it will probably only work, if Xvnc runs as root [or gets otherwise access to these files]. Regards, Martin Kögler Thank you! I just tried it on Gentoo which has more verbose logging and at indeed turned out that the problem was the read permissions of the radius configuration file. Setting this to world-readable makes it possible to log in. Unfortunately, the radius configuration file contains a sectret string to authenticate against the Radius server, so it should not be world readable. I was actually under the impression that PAM is a query-service run as root: how else can a user be capable of obtaining root privellages by using su? Apparantly it works differently. Anyway, is there any way to make a construction to authenticate against a module with root-only readable configuration file as a normal user? (different than inetd/xdm, which does not have the features I need for this group of users). Sincerely, Sebastiaan -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
[Tigervnc-devel] PAM only works for local stored passwords
Dear list, I am testing the 1.1 pre-beta (2/21/11) 64 bit Linux binary on an Ubuntu Natty machine. According to previous posts, I start the VNC server as: ./Xvnc :4 -SecurityTypes=VeNCrypt,Plain -PlainUsers=sebastiaan pam_service=vnc which works fine when connecting with: ./vncviewer :4 -SecurityTypes=VeNCrypt,Plain and supplying my credentials. Unfortunately, if the password of the user is not stored locally, but has to be retrieved from a server (a RADIUS server in my case), the connection fails: ./Xvnc :4 -SecurityTypes=VeNCrypt,Plain -PlainUsers=sebastiaanRemote pam_service=vnc /var/log/auth.log simply responds: Feb 24 21:34:35 uluru01 Xvnc: pam_unix(vnc:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost= user=sebastiaanRemote Xvnc gives the message: Thu Feb 24 21:33:44 2011 Connections: accepted: 10.177.20.2::53817 SConnection: Client needs protocol version 3.8 SConnection: Client requests security type VeNCrypt(19) Thu Feb 24 21:34:36 2011 SConnection: AuthFailureException: invalid password or username Connections: closed: 10.177.20.2::53817 (invalid password or username) My /etc/pam.d/vnc looks like this: auth[success=2 default=ignore]pam_unix.so nullok_secure authsufficient pam_radius_auth.so debug authrequisitepam_deny.so authrequiredpam_permit.so account [success=2 new_authtok_reqd=done default=ignore]pam_unix.so account sufficient pam_radius_auth.so account requisite pam_deny.so account requiredpam_permit.so which works fine for other services. I copied this file to a pretty simple service like chfn (cp /etc/pam.d/vnc /etc/pam.d/chfn) and it works fine. I am not sure where it goes wrong, but I am happy to help looking. Sincerely, Sebastiaan -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel