search

irods / irods_auth_plugin_pam_interactive

2 stars 3 forks source link

Account spoofing #18

Open 0x010C opened 3 months ago

0x010C commented 3 months ago

Good morning,

I am currently testing this plugin (thanks for that!) to delegate the authentication of my users to an SSO (keycloak) via the OIDC protocol.

My tests worked well with pam_deviceauthgrant (but also with PAM-OIDC-Device-Flow), however, I came across a strange behavior where I was able to log into another user's account (see test-case 4 below).

Here are my configuration files:

Server-side configuration

/etc/irods/server_config.json

    ...
    "plugin_configuration": {
        "authentication": {
                "pam_interactive" : {
                        "password_min_time": 3600,
                        "password_max_time": 7200
                }
        },
        ...
    },
    ...

/etc/pam.d/irods

auth    required        pam_nologin.so
auth    sufficient      /usr/local/lib64/security/pam_deviceauthgrant.so debug
auth    required        pam_deny.so
account sufficient      /usr/local/lib64/security/pam_deviceauthgrant.so

Client-side configuration

~/.irods/irods_environment.json

{
    "irods_authentication_scheme": "pam_interactive",
    "irods_host": "my.irods.domain.name",
    "irods_port": 1247,
    "irods_user_name": "userA",
    "irods_zone_name": "myZone"
}

What I have done

Successful test-cases (for information and context)

### Test-case 1 Set "userA" in irods_environment.json. When prompted for login by pam_interactive, type "userA". When the SSO login-page opens, log-in as "userA". ```shell $ iinit login: userA Login at https://my.sso.domain.name/realms/test/device?user_code=ABCD-EFGH After login press Enter $ ils /myZone/home/userA: testfile.json ``` **Expected behaviour:** Be loged-in as userA **Result:** :heavy_check_mark: Loged-in as userA ### Test-case 2 Set "userA" in irods_environment.json. When prompted for login by pam_interactive, type "userB". When the SSO login-page opens, log-in as "userA". ```shell $ iinit login: userB Login at https://my.sso.domain.name/realms/test/device?user_code=ABCD-EFGH After login press Enter Level 0: Error occurred while authenticating user [userA] [CAT_INVALID_AUTHENTICATION: authentication flow completed without success ] [ec=-826000] ``` **Expected behaviour:** Login error **Result:** :heavy_check_mark: Login error ### Test-case 3 Set "userA" in irods_environment.json. When prompted for login by pam_interactive, type "userA". When the SSO login-page opens, log-in as "userB". ```shell $ iinit login: userA Login at https://my.sso.domain.name/realms/test/device?user_code=ABCD-EFGH After login press Enter Level 0: Error occurred while authenticating user [userA] [CAT_INVALID_AUTHENTICATION: authentication flow completed without success ] [ec=-826000] ``` **Expected behaviour:** Login error **Result:** :heavy_check_mark: Login error

Test-case 4

Set "userA" in irods_environment.json. When prompted for login by pam_interactive, type "userB". When the SSO login-page opens, log-in as "userB".

$ iinit
login: userB
Login at https://my.sso.domain.name/realms/test/device?user_code=ABCD-EFGH
After login press Enter 
$ ils
/myZone/home/userA:
  testfile.json

Expected behaviour: Be loged-in as userB or login error Result: :red_circle: Loged-in as userA

In other words, I logged into userA account using userB credentials.

I'm not sure if it's a configuration error on my part (in this case sorry for the inconvenience) or a pam_interactive bug, but in the latter case it's a major security issue.

Thanks and best regards

alanking commented 3 months ago

Thanks for bringing this to our attention. This is indeed a bug in pam_interactive, not a configuration error on your part.

The fix would be to ensure that the username being fed to PAM matches the username which is being authenticated with iRODS.

We will try to fix it as soon as we can. As a reminder, this plugin has not been officially released, so it may be slow going for the severity level.

@ll4strw - Just giving you a notification of this issue. We do not think this is a problem with the deviceauthgrant module, but want you to be aware of its existence.

ll4strw commented 3 months ago

@alanking @0x010C thanks for the heads-up. Indeed, I see this is a problem with the pam plugin.

ll4strw commented 3 months ago

Glancing at the code, a possible fix for this issue would involve passing the irods username to the pam stack so that pam can set PAM_USER to match the irods username. This would solve two problems: 1. getting prompted for a username twice, 2. force pam to use the provided irods username preventing spoofing. Any ideas?

0x010C commented 2 months ago

@ll4strw I've compiled your commit and my test-cases are working as expected now, thanks!

trel commented 2 months ago

I haven't run it - but... this solution still prompts for the username once?

So, in Test-case 4... 'userB' is given as the answer to the prompt... and then fails to get past the plugin because of the new confirmation check? Because 'userB' doesn't match the environment's 'userA'?

0x010C commented 2 months ago

No, there is no prompts for the username anymore. In my case (using pam_deviceauthgrant) it looks like this now:

$ iinit
Login at https://my.sso.domain.name/realms/test/device?user_code=ABCD-EFGH
After login press Enter

From what I see there is only two cases left, both working as I expect :

trel commented 2 months ago

Oh, even better. Thanks for the confirmation!

ll4strw commented 2 months ago

I haven't run it - but... this solution still prompts for the username once?

So, in Test-case 4... 'userB' is given as the answer to the prompt... and then fails to get past the plugin because of the new confirmation check? Because 'userB' doesn't match the environment's 'userA'?

@trel If a user does not set a username in their irods env file, then they will be prompted Enter your irods user name:. The input value will set PAM_USER. If a user has a pre-set irods username in their env, that value will be copied into PAM_USER. The pam module is then free to do whatever it wants with that PAM_USER.

trel commented 2 months ago

Got it. I had missed the if/else case upon inspection.