-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improvements to Teleport PAM support. #3317
Merged
Merged
+614
−314
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
webvictim
reviewed
Jan 30, 2020
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM in theory with a few nits
02cdbb9
to
2c94e45
Compare
fspmarshall
reviewed
Jan 30, 2020
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pam_teleport.so
is being tracked. This is probably unintended.
ee63299
to
fb3df7e
Compare
Added method that reads in PAM environment variables from PAM handle.
Added ability to pass additional metadata about the user to PAM modules through the PAM_RUSER field.
Refactored launching of shell to call PAM first. This allows a PAM module to create the user and home directory before attempting to launch a shell for said user. To do this the command passed to Teleport during re-exec has changed. Before the Teleport master process would resolve the user fully (UID, GUID, supplementary groups, shell, home directory) before re-launching itself to then launch a shell. However, if PAM is used to create the user on the fly and PAM has not been called yet, this will fail. Instead that work has now been pushed to occur in the child process. This means the Teleport master process now creates a payload with the minimum needed from *srv.ServerContext and will then re-exec itself. The child process will call PAM and then attempt to resolve the user (UID, GUID, supplementary groups, shell, home directory).
Added support for "pam_putenv" and "pam_get_item" to fetch PAM_RUSER to pam_teleport.so. This is used for test coverage.
341d477
to
136c074
Compare
Don't call os.Exit() from RunCommand() as any defers won't be called. Instead wrap RunCommand() in RunAndExit() to allow defers to be called.
136c074
to
51b3006
Compare
fspmarshall
approved these changes
Feb 6, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Added ability to read in PAM environment variables from PAM handle and pass environment variables to PAM module
TELEPORT_USERNAME
,TELEPORT_LOGIN
, andTELEPORT_ROLES
.Refactored launching of shell to call PAM first. This allows a PAM module to create the user and home directory before attempting to launch a shell for said user.
To do this the command passed to Teleport during re-exec has changed. Before the Teleport master process would resolve the user fully (UID, GUID, supplementary groups, shell, home directory) before re-launching itself to then launch a shell. However, if PAM is used to create the user on the fly and PAM has not been called yet, this will fail.
Instead that work has now been pushed to occur in the child process. This means the Teleport master process now creates a payload with the minimum needed from
*srv.ServerContext
and will then re-exec itself. The child process will call PAM and then attempt to resolve the user (UID, GUID, supplementary groups, shell, home directory).Examples
Using
pam_exec.so
Using
pam_exec.so
is the easiest way to use the PAM stack to create a user if the user does not already exist. The advantage of usingpam_exec.so
is that it usually ships with the operating system. The downside is that it doesn't provide access to some additional environment variables that Teleport sets (see thepam_script.so
example for those) to use additional identity metadata in the user creation process.You can either add
pam_exec.so
to your existing PAM stack for your application or write a new one for Teleport. In this example we'll write a new one to simplify how to usepam_exec.so
with Teleport.Start by creating a file
/etc/pam.d/teleport
with the following contents.Note the inclusion of
pam_motd.so
under the session facility. Whilepam_motd.so
is not required for user creation, Teleport requires a module set for both theaccount
andsession
facility to work.Next create the script that will be run by
pam_exec.so
like below. This script will check if the user passed inPAM_USER
exists and if it does not, it will create it. Any error fromuseradd
will be written to/tmp/pam.error
.Next update
/etc/teleport.yaml
to call the above PAM stack by both enabling PAM and setting theservice_name
.Now attempting to login as an existing user should result in the creation of the user and successful login.
Using
pam_script.so
If more advanced functionality is needed
pam_script.so
is a good choice. It typically has to be installed from packages but richer scripts with more identity information from Teleport can be used during the process of user creation.To start install
pam_script.so
. On Debian based systems this would beapt-get install libpam-script
and on RHEL based systemsyum install pam-script
.You can either add
pam_script.so
to your existing PAM stack for your application or write a new one for Teleport. In this example we'll write a new one to simplify how to usepam_script.so
with Teleport.Start by creating a file
/etc/pam.d/teleport
with the following contents.Note the inclusion of
pam_motd.so
under the session facility. Whilepam_motd.so
is not required for user creation, Teleport requires a module set for both theaccount
andsession
facility to work.Next create the script that will be run by
pam_script.so
like below. This script will check if the user passed inTELEPORT_LOGIN
exists and if it does not, it will create it. Any error fromuseradd
will be written to/tmp/pam.error
. Note the additional environment variablesTELEPORT_USERNAME
,TELEPORT_ROLES
, andTELEPORT_LOGIN
. These can be used to write richer scripts that may change the system in other ways based off identity information.Next update
/etc/teleport.yaml
to call the above PAM stack by both enabling PAM and setting theservice_name
.Now attempting to login as an existing user should result in the creation of the user and successful login.
Related Issues
Fixes #3270
Fixes #3021
Fixes #2863