search

CyberNinjas / pam_aad

Azure Active Directory PAM Module
GNU General Public License v3.0
54 stars 19 forks source link

Determine how to handle usernames #5

Closed SJCaldwell closed 5 years ago

SJCaldwell commented 7 years ago

Current behavior: The user must truncate their username to a length acceptable to unix (under 35 characters). The module then truncates the username in the claims token to the same length and checks they're equal.

Having a user remember to truncate their own username is obviously incredibly inconvenient. I need to determine how to truncate the username in a way that is transparent to the user.

SJCaldwell commented 7 years ago

The issue here is that I don't know how to overwrite the username after a user attempts to log into ssh with it. In lines 84-97 in aad.c:

static const char *get_user_name(pam_handle_t *pamh, const Params *params){
    //Obtain user's name
    const char *username;
    if (pam_get_user(pamh, &username, NULL) != PAM_SUCCESS ||
      !username || !*username){
          log_message(LOG_ERR, pamh,
          "pam_get_user() failed to get a user name");
          return NULL;
      }
     if (params -> debug){
          log_message(LOG_INFO, pamh, "debug: start of azure_authenticator for %s", username);
      }
      return username;
}

pam_get_user is being used to actually retrieve a copy of the username from pam, which has the canonical copy. I'm not sure if it's possible to edit that value, as it seems likely that for security reasons PAM devs would keep that part of memory read only.

Jnchi commented 5 years ago

Usernames may only be up to 32 characters long. -- man useradd

This attribute must be 20 characters or less to support earlier clients... --Microsoft Docs: SAM-Account-Name attribute

This attribute contains the UPN that is an Internet-style login name for a user based on the Internet standard RFC 822. --Microsoft Docs: User-Principal-Name attribute

NOTE: No max-length defined. See: StackOverflow - Is there a Maximum Length for userPrincipalName in Active Directory?

--display-name Required. The display name of the user. ... --user-principal-name Required. The user principal name (someuser@contoso.com). It must contain one of the verified domains for the tenant. --Microsoft Docs: az ad user

The samAccountName is the User Logon Name in Pre-Windows 2000...The userPrincipalName is a new way of User Logon Name from Windows 2000 and later versions. --samAccountName vs userPrincipalName

Jnchi commented 5 years ago

User Provisioning is out of scope for this module.

See: LibNSS-AAD: Linux Name Switch Service plugin for passwd and group lookups into Azure Active Directory

Jnchi commented 5 years ago

See also: https://github.com/shadow-maint/shadow/issues/20