#3458 Access verification by rhost using ldap_access_order rhost option
Closed: Fixed 6 years ago Opened 6 years ago by akamenskiy.

This issue is for PR #275. The content of the message from github is below. I am hoping this could be accepted/merged at some point as right now I compile my own package and install it on 1000+ servers to just get this simple functionality to work.

From Github:

TL;DR - this is to implement functionality similar to both of sshd_config:AllowUsers and of PAM's own rhost verification.

This was asked in IRC and mailing list (with little follow up in both). The reasoning behind implementation can be seen in linked mailing list thread.

Current PR provides basic functionality of comparing rhost (from pam) with values stored in LDAP. To enable this set ldap_access_order = rhost and ldap_user_authorized_rhost = <ldap_field_name| default: rhost> in sssd.conf.

For the DNS/rDNS verification I am considering to implement following (bearing in mind RFC 1912):

Documentation must explicitly state that use of DNS/rDNS is going to introduce delays and should be used with caution and recommend to set UseDNS no in sshd_conf to avoid problems with not matching rDNS.
If PAM provides IP address (IPv4 or IPv6) as rhost, then use it directly, if PAM provides hostname, resolve it to IP address (IPv4 and/or IPv6) using forward resolution (as per RFC 1912 recommendation for FCrDNS) and use this IP address directly.
Relevant LDAP records must be prepended with record type identifier in a manner [!]identifier:record. Allowed identifiers are ip4|ip6|host. For example record host:host1.example.com to allow access from host with DNS record host1.example.com and !ipv4:192.0.0.1 to deny access from rhost with IPv4 address 192.0.0.1. This is to spare some time on figuring out wether record is valid IPv4/IPv6 or is it a hostname.
Additional configuration option ldap_authorized_rhost_use_dns = <bool> (Default: False). This option would enable/disable use of DNS/rDNS in verification process.
If disabled whatever is received from LDAP record is matched as-is to whatever received from PAM as users rhost (without resolution mentioned in point 1 and ignoring identifier from point 2).
When enabled the following logic would be applied:
If LDAP record is IPv4 or IPv6 address, match against rhost (IPv4 or IPv6).
If LDAP record is a hostname, then perform forward resolution of that hostname to IP address (v4 and/or v6), then match resulting addresses against rhost. If both v4 and v6 IP addresses are available in rhost (after resolution in point 1), then each one must match (i.e. strict matching)
Please let me know if that is good, or any adjustments to this (e.g. throw away point 2 and attempt to check type of record inside SSSD)?

I will hold on with implementation until any feedback on these.


Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1402056

6 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1402056

6 years ago

@jhrozek I am sorry, this is not very clear to me what exact relationship between this issue and the linked one (linked one mentions MFA in ssh connection prompt)?

I think implementation for rhost verification process vs MFA prompt would be quite different (I may be wrong here of course, just need some clarification perhaps).

Metadata Update from @pbrezina:
- Custom field rhbz reset (from https://bugzilla.redhat.com/show_bug.cgi?id=1402056)

6 years ago

It was just an accident. It has not relationship.

Since the patches were pushed to all supported branches, I suggest we close this ticket.

Indeed. And I'd suggest opening a new issue in case @akamenskiy comes up with patches for hostname resolution.

Closing as it's been agreed with the reporter.

Metadata Update from @fidencio:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4484

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata