Fun with kppp (PAM?)

Support for security such as Firewalls and securing linux
Post Reply
NathanZook
Posts: 13
Joined: 2005/05/27 20:37:46
Location: Austin, TX

Fun with kppp (PAM?)

Post by NathanZook » 2005/05/27 21:23:12

I'm quite new, so feel free to repsond with RTFM & a good pointer...

I'm trying to set kppp up, and having some troubles...
1) (minor) The default baud rate for kppp was so high that my modem defaulted to 9600. Lowering it allowed me to run @ 57600.
2) The suid solution in /usr/share/doc/HTML/en/kppp/security.docbook doesn't work. The window for kppp comes up, but I'm not allowed to access the connect button.
3) The kppp.allow solution in the same file seems to have no effect.

It appears that kppp has been configured either to be pam aware & overrides other access rules. So I've read up on PAM...

4) The pam_succeed_if.so module is testing against UID 0, which means that "auth sufficient pam_succeed_if.so debug user ingroup dialout" either always fails or always succeeds. The rootok line isn't kicking in, so I expect that the bug is in pam_succeed_if.so.

:-o
5) MODERATE SECURITY BUG: It appears that some (most? all?) of the files in /etc/pam.d have a "auth sufficient pam_timestamp.so" and also a "session optional pam_timestamp.so". This means that any user who is authenticated can run any of these programs until his timestamp expires!!!

In otherwords, if I give kppp access to someone, they have access to system-config-users until their timestamp expires.

PROPOSED WORKAROUND: Replace "session optional pam_timestamp.so" with "auth optional pam_timestamp.so" immediately following the "auth required pam_stack.so service=system-auth" line. This should ensure that 1) A good password entry cannot be indefinitely extended by repeated calling these services. 2) That the timestamp can only be used after a successful password entry.

FIX: The timestamp facilitiy should be made modular, either to particular services or to groups of services.

NathanZook
Posts: 13
Joined: 2005/05/27 20:37:46
Location: Austin, TX

Re: Fun with kppp (PAM?)

Post by NathanZook » 2005/05/29 15:10:02

I sent a link to the above note to the maintainer of succeed_if (an employee of Prominent North American Enterprise Linux Vendor (tm)). He kindly & rapidly pointed me to the use_uid option for succeed_if. :-D I now have precisely the behavior I desire with the following /etc/pam.d/kppp file:

#%PAM-1.0
auth sufficient pam_succeed_if.so debug use_uid user ingroup dialout
auth sufficient pam_rootok.so
auth sufficient pam_timestamp.so
auth required pam_stack.so service=system-auth
session optional pam_xauth.so
# session optional pam_timestamp.so
account required pam_permit.so

NOTE THE COMMENTING OUT OF THE session timestamp line! Failure to comment out this line will give root priveleges to all members of dialout!

I have not experimented with making the session timestamp line into a final auth timestamp line.

Post Reply

Return to “CentOS 4 - Security Support”