pam_ssh_agent_auth allowing users to define own ssh pubkey #31611
Comments
wmertens
added
the
1.severity: security
|
Does this work when the user does not belong to the |
|
cc @grahamc, @fpletz, @domenkozar, @rbvermaa |
|
It will give you whatever permissions your user can receive via |
|
The authorized_keys paths should probably be configurable anyway but the default is pretty bad. I think we should just remove the This is also probably worth a CVE. Opinions? /cc @grahamc |
|
Well, it looks like we can keep most backwards-compatibility by changing ~
to /home/%U, but that won't catch non-default homedirs.
However, personally I would love to only allow ssh keys from /etc. That's
what I was assuming when I enabled it…
…On Tue, Nov 14, 2017 at 11:28 AM Franz Pletz ***@***.***> wrote:
The authorized_keys paths should probably be configurable anyway but the
default is pretty bad. I think we should just remove the ~ paths. This
breaks backward-compatibility but I'm not sure how to disable
allow_user_owned_authorized_keys_file after reading the man page.
This is also probably worth a CVE. Opinions? /cc @grahamc
<https://github.com/grahamc>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#31611 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADWlvA8VOt87TWF5BsLsysqxZZXa4GRks5s2WthgaJpZM4Qb_hN>
.
|
|
So uhm - kind of disappointing how this is lingering… |
|
See #32178 for an example fix. I image we should also put it in the changelog, and it's not something we can just merge into stable… |
|
I just thought of a backwards-compatible way to fix this: make a new setting |
|
I maintain a multi-user installation of NixOS where I initially create users with one public key they provide me, and thereafter they are free to add their own keys. In my installation, it is intentional that users are able to add their own keys, and sudo needs to follow along. So, if this behavior is changed, it is important to me that there's a way to change it back to the way it is currently, as in my installation, this is intended behavior. (I even submitted PR #23435 to fix this behavior when it broke once.) Aside from my own use case, I also have qualms about making this change default in general. The root of my objection stems from the inconsistency it would introduce with how OpenSSH handles keys. As a user, I expect that if I turn on PAM SSH authentication, then it will use the same set of keys that OpenSSH uses for authentication. If we now say that configured keys are inherently more trustworthy than user-specified keys (which is reasonable), but apply that only to sudo and not also login to the system in general, that is inconsistent and looks like a bug (even if it is not really a bug, and was an intentional design decision because of this issue). I agree that this ought to be configurable because I can certainly see some administrators wanting the ability to turn this off. It should also be configurable independently of how OpenSSH chooses which keys to use. It can even default to allowing only configured keys rather than user-provided keys, as long as OpenSSH uses the same default. But, I do think those two defaults need to match, because anything else looks strange and inconsistent. |
|
Ok so the difference is that for me, strictly the specified key should be
allowed to sudo, and for you, any key that ssh accepts is ok. It should
definitely be configurable then, but I still think the default should be
strict.
…On Thu, Feb 22, 2018, 8:32 AM sometimes-i-send-pull-requests, < ***@***.***> wrote:
I maintain a multi-user installation of NixOS where I initially create
users with one public key they provide me, and thereafter they are free to
add their own keys. In my installation, it is intentional that users are
able to add their own keys, and sudo needs to follow along. So, if this
behavior is changed, it is important to me that there's a way to change it
back to the way it is currently, as in my installation, this is intended
behavior. (I even submitted PR #23435
<#23435> to fix this behavior when
it broke once.)
Aside from my own use case, I also have qualms about making this change
default in general. The root of my objection stems from the inconsistency
it would introduce with how OpenSSH handles keys. As a user, I expect that
if I turn on PAM SSH authentication, then it will use the same set of keys
that OpenSSH uses for authentication. If we now say that configured keys
are inherently more trustworthy than user-specified keys (which is
reasonable), but apply that only to sudo and not also login to the system
in general, that is inconsistent and *looks* like a bug (even if it is
not really a bug, and was an intentional design decision because of this
issue).
I agree that this ought to be configurable because I can certainly see
some administrators wanting the ability to turn this off. It should also be
configurable independently of how OpenSSH chooses which keys to use. It can
even default to allowing only configured keys rather than user-provided
keys, as long as OpenSSH uses the same default. But, I do think those two
defaults need to match, because anything else looks strange and
inconsistent.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#31611 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADWll6vMGt3kjzORGx9aFLRAPrnX104ks5tXRf6gaJpZM4Qb_hN>
.
|
|
Sure, I can get behind that. As long as it's configurable! I still think there is something to be said for consistency (⇒ locking down OpenSSH by default too then) but that is a lesser concern. |
|
The code referred to (in the opening comment): Should have an option (boolean) that removes the |
|
Two other PAM modules seems to suffer the same kind of vulnerability: |
|
I just noticed in the logs that pam_ssh_agent_auth refuses to use my ~/.ssh keys because they have the wrong owner, so looks like it's fixed? @bricewge could you confirm |
|
I can still reproduce this vulnerability on 23.05. The current implementation uses |
…auth The current default allows privilege escalation because a process running as a user can add its own key to the user-writable authorized_keys file. This adds an option to configure the authorized keys files for pam_ssh_agent_auth separately from openssh. The default is only the /etc/ssh/authorized_keys.d/%u path which is not user-writable. Since existing users may rely on keys in user-writable files for access to their system, the option has been renamed so that users are prompted with upgrade instructions. Fixes NixOS#31611
|
After #255547 has been merged, now we can use following config as workaround. security.sudo.extraConfig = ''
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
'';
security.pam.services =
let
serviceCfg = service: {
rules.auth.ssh-agent-custom = {
control = "sufficient";
# order = config.security.pam.services.${service}.rules.auth.u2f.order + 10;
modulePath = "${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so";
settings.file = "/etc/ssh/authorized_keys.d/%u";
};
};
in
lib.flip lib.genAttrs serviceCfg [ "sudo" "i3lock" ]; |
|
Thanks, this looks like a nice solution. I'm doing this, which seems to work just fine: services.openssh.authorizedKeysFiles =
lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];I guess the downside is that you can no longer specify authorized keys in |
|
@musjj As far as I know, there isn't any other downsides. However, IMO it's a big downside that a normal user can't determine which ssh key should be used to connect to its account. |
|
In the man I see allow_user_owned_authorized_keys_file ? shouldn't we set it ? so we don't hardcode config path but if you want to allow ~/.ssh they need to be owned by root |
|
It also says this:
I wonder if it can be manually overridden, even when there's a |
Sort of? However, it's possible to have both self-service
|
|
@RaitoBezarius What was the context where you mentioned needing user-writable |
…sFiles Specifying user-writeable files there result in an insecure configuration: A malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication. See NixOS/nixpkgs#31611 Signed-off-by: Otavio Salvador <[email protected]>
I just use security.pam.sshAgentAuth.authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];This still allows to login with user writable keys but not to use them for privilege elevation. |
|
Yeah, the option didn't exist when I wrote that. But it looks like that the new option pretty much solves this issue. All that's left is setting a saner default for |
The SSH_AUTH_SOCK variable is no longer preserved by default, due to intersecting concerns described in: NixOS/nixpkgs#31611 Note that the main concern in that issue is to do with overly lax pam_ssh_agent_auth rules regarding authorized keys file ownership. Changes to how SSH_AUTH_SOCK is handled are somewhat tangential to the core issue. Re-add SSH_AUTH_SOCK so that git commands run as sudo can access the ssh-agent.
Security impact: passwordless programmatic elevation of privileges via
sudoto sudo-defined level.Issue description
In the manpage it says that if
~or%hare used, they enableallow_user_owned_authorized_keys_file.We are using
~, so that means that if you are usingsecurity.pam.enableSSHAgentAuth = true;, any program running as a user can use sudo by changing the~/.authorized_keysfile.I propose we replace
%by/users/%Uor somehow disableallow_user_owned_authorized_keys_file.Steps to reproduce
Technical details
Relevant setting is at
nixpkgs/nixos/modules/security/pam.nix
Line 260 in ea35bc9
/cc @edolstra
The text was updated successfully, but these errors were encountered: