FS#65819 - [pambase] support systemd-homed
Attached to Project:
Arch Linux
Opened by hexchain (hexchain) - Friday, 13 March 2020, 10:42 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:23 GMT
Opened by hexchain (hexchain) - Friday, 13 March 2020, 10:42 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:23 GMT
|
Details
Description:
To make use of systemd-homed one needs to modify its PAM configuration. However, changing PAM configuration can be dangerous and there does not seem to be any consensus on how to do it[1]. It would be better if Arch has some recommended solution. P.S.: not sure if this is relevant but pam_permit.so seems to be a problem[2] if we would like to allow login with either pam_unix or pam_systemd_home. [1] https://wiki.archlinux.org/index.php/Talk:Systemd-homed [2] https://bbs.archlinux.org/viewtopic.php?id=245892 |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:23 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/pambase/issues/3
Saturday, 25 November 2023, 20:23 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/pambase/issues/3
[1] https://aur.archlinux.org/packages/pambase-homed/
[2] https://wiki.archlinux.org/index.php/Systemd-homed#Enabling_PAM_modules
cronie, shadow, util-linux, bftpd, cups, lightdm, posgresql, samba, screen, at, deepin-daemon, fcron, fscrypt, open-vm-tools, opendoas, partimage, physlock, schroot, sssd and vsftpd?
I switched from the suggested nss-auth on the wiki page to the default supplied system-auth.
Storage is directory (no encryption) but I have pam_mount with encfs and it's still working fine.
So this issue is probably resolved, unless someone else noticed some issues.
Using the second sample system_auth in post #8 (the one labeled "pam_unix always checked byefore pam_systemd_home") resolves the spurious journal messages. It would be nice if this was the out of the box configuration, so that all of us users with out-of-the-box configs for pam and systemd (with systemd-homed NOT enabled) don't see these noisy, meaningless journal entries.
EDIT:
Never mind. The configuration that switches the order of pam_unix and pam_systemd_home breaks required password changes (logs attached), at least via tty and ssh, and I don't know enough about PAM to suggest a working config. :(
If not please try the attached system-auth.
Edit:
If it only works for passwd based accounts.
Your attached changes allow password changes, but breaks logins.
to
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok
from
auth required pam_unix.so try_first_pass nullok
which expands to
auth [success=ok new_authtok_reqd=ok ignore=ignore default=bad] pam_unix.so try_first_pass nullok
success=ok to success=2, the merging of ignore=ignore default=bad to default=ignore were intended, the merging of new_authtok_reqd into default=ignore was under the assumption it would never be produced.
[1] https://bugs.archlinux.org/task/67636#comment191839
If there is a an exploitable security issue please report it to security@archlinux.org
auth - returns PAM_USER_UNKNOWN when required (acquire_home -> acquire_user_record can return that)
account - returns PAM_SUCCESS on PAM_USER_UNKNOWN (has a test on acquire_home's return value)
password - returns PAM_USER_UNKNOWN when required (same as auth)
session - returns PAM_SUCCESS on PAM_USER_UNKNOWN (same as account)
--------------------
my proposed solution in comment 187386
Yes. it assumes that account and session return PAM_USER_UNKNOWN when the user is unknown to homed. I just changed the required control value, which expands to [success=ok new_authtok_reqd=ok ignore=ignore default=bad]. I replaced the 'ok' to skip 1 instead, and added a user_unknown=ignore.
It also skips pam_unix.so in session if pam_systemd_homed succeeds. This is unnecessary since the session part of pam_unix.so only does some logging.
The solution I proposed there was further debated upon in the wiki's talk page for systemd-homed. Skidnik introduced me to the idea of a substack, and I proposed a substack config where the only two that needed a substack were put in the substack. Skidnik changed that to include all systemd-homed's in a single substack, which is what was added to the wiki.
--------------------
Requirement of substack
Substacks can be easily replaced with [...] syntax
For example -
auth substack homed-substack
auth required pam_env.so
homed-substack
auth sufficient pam_unix.so try_first_pass nullok
auth sufficient pam_systemd_home.so suspend=true
auth [success=bad] pam_permit.so
can be replaced with -
auth [success=2 new_authtok_reqd=2 default=ignore] pam_unix.so try_first_pass nullok
auth [success=1 new_authtok_reqd=1 default=ignore] pam_systemd_home.so suspend=true
auth [success=bad] pam_permit.so
auth optional pam_permit.so
auth required pam_env.so
--------------------
Current problem 1
as stated in pam_systemd_home.so, account returns success on user_unknown. So the
account [success=1 default=ignore] pam_systemd_home.so
used in /etc/pam.d/system-auth is bad
--------------------
Current problem(?) 2
Is there any particular reason why session for pam_systemd_homed.so is omitted from /etc/pam.d/system-auth? It seems like it does much more work than pam_unix.so's logger.
--------------------
Security
I don't think this affects security, because account assumes that the user is already properly authenticated. I am not an expert in anything, so can't guarantee this.
--------------------
Other problems
forget-key-on-suspend will soon be available on at least GNOME (hopefully others), but never on TTY sessions. So we would need two system-auth files. One to be included for TTY sessions, other by forget-key-on-suspend supporting session managers.
Replacing the substack -
sufficient expands to [success=done new_authtok_reqd=done default=ignore]. I replaced the 'done' with an appropriate number of lines to skip
-------------------------
Solution to problem 1
use pam_unix.so's return status to skip pam_systemd_home.so. Not the other way around.
-------------------------
Solution to problem(?) 2
Add session optional pam_systemd_home.so
-------------------------
Problem 3 (password change/expiry not working properly)
This is because in the current configuration, new_authtok_reqd is counted in default instead of separately.
in all 4 keywords, success and new_authtok_reqd result in the same action
requisite - [success=ok new_authtok_reqd=ok ignore=ignore default=die]
optional - [success=ok new_authtok_reqd=ok default=ignore]
-------------------------
Solution to problem 3
Properly mimic the keywords instead of only half-mimicking them.
-------------------------
More stuff
Also check https://bugs.archlinux.org/task/67658 and the comment there
dwheeler's response to my followup was the old pambase did enforce the password change. (response was posted in a different bug report and deleted)
My thought was try_first_pass option to pam_unix in passwd but the old pambase had that as well.
with the modified system-auth (attached) i was dropped straight into bash even though a message that i was required to change the password popped up. with the system-auth here https://github.com/archlinux/svntogit-packages/tree/4f61fe5dddfb8889b2d15d34e84d9cc3e60cc24f (no systemd-homed, no faillock) i got "Authentication token manipulation error" and couldn't login. I tried deleting the sha512 option, didn't change anything.
I don't think this is related to systemd-homed. Could be a bug in pam itself?
FS#61843?Edit:
Default pambase 20200721.1-2 files, expired passwd account login is allowed without a password change.
removing
-account [success=1 default=ignore] pam_systemd_home.so
produces token authentication manipulation
adding
password include system-local-login
then password change is forced before login is allowed.
Edit2:
It is add you said [1]. For the auth check unix is first so is handled as expected.
[1] https://github.com/systemd/systemd/blob/v246/src/home/pam_systemd_home.c#L837
Edit3:
After applying pam.diff pambase 20200721.1-2 expired passwd account login is required to change password before login.
I was not criticizing you patch, the deletion was simply smaller.
Edit4:
From [2] 60001…60513 → UIDs for home directories managed by systemd-homed.service
account [default=1 success=ignore] pam_succeed_if.so uid >= 60001 uid <= 60513
skip over the following for accounts not managed by systemd-home
-account [success=1 default=ignore] pam_systemd_home.so
[2] https://systemd.io/UIDS-GIDS/
system-auth (1.3 KiB)
/etc/pam.d/login - ohhh, ye that works. it clearly was an issue for a long time, wonder why it wasn't fixed all this time. :/
My patch - it actually was like that, reporting PAM_USER_UNKNOWN. except i did it in session too. you can see that i renamed the PR and force pushed to the branch again. I changed to PAM_IGNORE because i thought that would allow simpler handling with the 4 keywords instead of with the [...] syntax.
auth - auth returns PAM_USER_UNKNOWN properly, so it can be second if needed. you linked to the account part in [1]. account and session are the one that return abnormal results, as i stated before.
your edit 3 - just applying the diff shouldn't work? i removed all homed mentions from my system-auth. it didn't work until your /etc/pam.d/login solution. i still think just putting account pam_systemd_homed.so second (with the login file patched) is good enough.
your edit 4 - any UID outside the system UID range (0-999?) can be picked during account creation. they recommend 60001-60513 inclusive, but that isn't mandatory. (man 1 homectl)
With edit 4 I was trying to explicitly guarantee only accounts managed by pam_systemd_home are checked by pam_systemd_home by that module in account and password rather than the implicit guarantee provided by being the last module.
60001-60513 - yes, i saw your link. but an user can override that while creating the user, and it is not forbidden to do so.
system-auth
account substack nss-auth
account optional pam_permit.so
account required pam_time.so
nss-auth
account sufficient pam_unix.so
account sufficient pam_systemd_home.so
account required pam_deny.so
equivalent -
1 account [success=2 new_authtok_reqd=2 default=ignore] pam_unix.so
2 account [success=1 new_authtok_reqd=1 default=ignore] pam_systemd_home.so
3 account required pam_deny.so
4 account optional pam_permit.so
5 account required pam_time.so
When 2 returns success (lying) after 1 returns PAM_USER_UNKNOWN the move straight to 4 is what seems sketchy here. Whether it is actually sketchy or not decides if the PR needs to be reopened.
@loqs What is happening here (and similar ones i uploaded before), correct me if i am wrong please -
the retval of account pam_unix.so is PAM_NEW_AUTHTOK_REQD, the associated action is ignore. So pam_acct_mgmt's status remains PAM_MUST_FAIL_CODE and impression remains _PAM_UNDEF and we proceed to pam_systemd_home.so.
account pam_systemd_home.so returns PAM_SUCCESS because of the test that it does against PAM_USER_UNKNOWN, the associated action is to skip 1. The side effect is ignore, and so the return value and impression remain the same. we skip the pam_deny.so and land on pam_permit.so.
account pam_permit.so returns PAM_SUCCESS, associated action is ok. pam_acct_mgmt's status is changed to PAM_SUCCESS and impression is changed to _PAM_POSITIVE.
account pam_time.so probably returns PAM_SUCCESS, associated action is ok. since impression is _PAM_POSITIVE and retval is PAM_SUCCESS, the status is changed to the same PAM_SUCCESS. eventually this is returned to login.
login tests this against PAM_NEW_AUTHTOK_REQD, finds the test false. so it never calls pam_chauthtok. [If it did find PAM_NEW_AUTHTOK_REQD (default=ignore replaced by default=bad or something), pam_chauthtok would be called. This would need the /etc/pam.d/login fix.]
login then tests the value again if it is an error condition, finds the test false again. So it proceeds to call pam_open_session().
PAM doesn't actually block pam_open_session(), that's the application's responsibility.
The attached system-auth preserves the return values for them to be tested by applications. This will block users with expired passwords from logging in. Adding the /etc/pam.d/login solution will cause such users to be forced to change the password (also, that fix needs to be applied to all applications that use pam_chauthtok, such as /etc/pam.d/sudo). This will also fix the current situation where trying to log in with a valid username but giving an invalid password has a different result than logging in with an invalid username (letting an outsider know what users exist).
Edit: urgh i give up. pam_unix's user_unknown tests are even worse. they just check if the username is valid with pam_get_user or something. The attached configuration doesn't work with systemd-home users because pam_unix just returns some other error. There is probably no way to preserve the error return values with the current situation.
FS#67658@loqs btw you could open a PR on systemd with the patch you posted here. the credit for that is still yours, even if it's 2 lines.
The line "-account [success=1 default=ignore] pam_systemd_home.so" needs to be commented out for xrdp session to work.
Under discussion here:
https://github.com/neutrinolabs/xrdp/issues/1684
https://github.com/microsoft/linux-vm-tools/issues/127
https://bbs.archlinux.org/viewtopic.php?id=258297
@multipitch is systemd-homed enabled on the system with the issue? The pambase configuration does not need it to be it is a data point that would indicate where the issue might be.
Have you reported the issue upstream to systemd?
@loqs oh i wasn't submitting the PR because you posted the patch here. will do it then.
[1] https://github.com/systemd/systemd/commit/842067e6753d8cad951c83ac62681c539e1b1a07
See https://bbs.archlinux.org/viewtopic.php?id=258297
auth portion only needs [success=N default=ignore] for both pam_unix.so and pam_systemd_home.so, they don't return new_authtok_reqd
account portion - pam_permit.so will turn both success and new_authtok_reqd into success. it needs to be like this -
account [success=ok new_authtok_reqd=ok default=1] pam_systemd_home.so
account [default=1] pam_permit.so
account required pam_unix.so
account required pam_time.so
minus in front of pam_systemd_home.so - arch won't build systemd without homed, and if it is really missing then pam will return a pam_success from the module which is also wrong because pam_unix.so will be skipped. (the minus is for missing pam_systemd_home.so, not for missing dbus-org.freedesktop.home1.service)
With the substack approach could that keep the minus for pam_systemd_home.so?
This allows those who have not enabled systemd_homed to NoExtract=usr/lib/security/pam_systemd_home.so to pacman.conf preventing the following message
pam_systemd_home(systemd-user:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
system-auth-substack (0.4 KiB)
There was a discussion on github about this and this is a working solution:
https://github.com/systemd/systemd/issues/20619#issuecomment-986697045
sc. swap pam_unix and pam_systemd_home in the auth section.
I suppose the substack approach using `sufficient` would work too (and would probably be neater).
Could we have an update on this?