libpam4j authenticates invalid accounts

[rtwruck]

Currently, the call to pam_acct_mgmt is commented out in PAM.authenticate. Thus any login restrictions configured via PAM account modules are ignored by PAM.authenticate. This usually affects, among others, settings in /etc/security/access.conf (pam_access), /etc/nologin (pam_nologin) and host/service name authorization of pam_ldap. Any return value other than PAM_SUCCESS from pam_acct_mgmt should prevent a successful authentication.

[letonez]

I have run into this issue as well. PAM is configured to use SSSD/LDAP authentication. SSSD is configured to use the Simple access provider, which allows LDAP group-based authorization. When I log in through SSH with an LDAP user that is not in one of my sssd authorized groups, the user is denied access. HOWEVER, when I log in using libpam4j, using the same (system-auth) PAM service as sshd, the user is allowed access.

This is a pretty major bug in libpam4j, is it not? Is anyone maintaining this currently??

[apoleon]

This issue has been assigned CVE-2017-12197. Apparently it was patched by Red Hat but I have no information if they intend to forward the patch. https://bugzilla.redhat.com/show_bug.cgi?id=1503103

[kohsuke]

I feel terrible for not noticing this sooner, but I just committed a fix for this.