Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exit status when user is not member of group #16

Open
candlerb opened this issue May 2, 2020 · 6 comments
Open

Exit status when user is not member of group #16

candlerb opened this issue May 2, 2020 · 6 comments

Comments

@candlerb
Copy link

candlerb commented May 2, 2020

Perhaps I am being extremely dense, but I am scratching my head when I look at the code here:

	if len(group) == 0 || isMemberOf(group) {
		return authenticate(w, uid, username, userCA, authorizedPrincipals)
	}

	return AuthSuccess

It seems to me that if the "group" option is set, but the user is not a member of that group, the module will unconditionally return AuthSuccess - which implies that sudo access is granted.

I was expecting the final statement to say return AuthError. If that's true, it could be more clearly expressed as:

	if len(group) > 0 && isMemberOf(group) != true {
		return AuthError
	}

	return authenticate(w, uid, username, userCA, authorizedPrincipals)

However if the current behaviour is as intended, then I think the documentation of the "group" option could be made much clearer. "Users who are in this group must authenticate with ssh-agent; all other users are granted access without authenticating at all"
@srstsavage
Copy link

Yeah, this seems strange to me too. Maybe the last line in pamAuthenticate should just be changed to return AuthError?

@pmoody-
Copy link
Contributor

pmoody- commented May 8, 2020

this whole bit of code can probably be removed. I added it initially because I wanted to make the deployment of pam_ussh as easy as possible, so we could say that if a user wasn't in a particular group then they'd use whatever the "old" pam sudo configuration was.

this was mitigation for deploying a potentially breaking change in prod.

is this option useful to you at all?

@pmoody-
Copy link
Contributor

pmoody- commented May 8, 2020

also, I left uber ~6 months ago or so and this project hasn't been maintained by anyone since I left. I'm going to fork this, and probably rename it.

@candlerb
Copy link
Author

candlerb commented May 8, 2020

I don't need this option.

It just seemed weird; I would have thought that if the intention was to fall through to subsequent modules, it would have returned PAM_IGNORE rather than PAM_SUCCESS.

@srstsavage
Copy link

Yeah, I think the pam configuration itself should be adjusted with required/requisite if other modules are to be used instead of pam-ussh returning success if no auth check was actually performed.

also, I left uber ~6 months ago or so and this project hasn't been maintained by anyone since I left. I'm going to fork this, and probably rename it.

That's good to hear, I've been evaluating if this project is useful for us and likely have a few pull requests coming, was worried that it may have been abandoned. Can you ping this issue when you fork the repo?

@jessespears
Copy link
Member

@shane-axiom I will be available to review any pull requests that come this way. @pmoody- if you decide to fork this repo then I will consider your repo to be the upstream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@candlerb @srstsavage @pmoody- @jessespears