Page 1 of 1

Fun with kppp (PAM?)

Posted: 2005/05/27 21:23:12
by NathanZook
I'm quite new, so feel free to repsond with RTFM & a good pointer...

I'm trying to set kppp up, and having some troubles...
1) (minor) The default baud rate for kppp was so high that my modem defaulted to 9600. Lowering it allowed me to run @ 57600.
2) The suid solution in /usr/share/doc/HTML/en/kppp/security.docbook doesn't work. The window for kppp comes up, but I'm not allowed to access the connect button.
3) The kppp.allow solution in the same file seems to have no effect.

It appears that kppp has been configured either to be pam aware & overrides other access rules. So I've read up on PAM...

4) The module is testing against UID 0, which means that "auth sufficient debug user ingroup dialout" either always fails or always succeeds. The rootok line isn't kicking in, so I expect that the bug is in

5) MODERATE SECURITY BUG: It appears that some (most? all?) of the files in /etc/pam.d have a "auth sufficient" and also a "session optional". This means that any user who is authenticated can run any of these programs until his timestamp expires!!!

In otherwords, if I give kppp access to someone, they have access to system-config-users until their timestamp expires.

PROPOSED WORKAROUND: Replace "session optional" with "auth optional" immediately following the "auth required service=system-auth" line. This should ensure that 1) A good password entry cannot be indefinitely extended by repeated calling these services. 2) That the timestamp can only be used after a successful password entry.

FIX: The timestamp facilitiy should be made modular, either to particular services or to groups of services.

Re: Fun with kppp (PAM?)

Posted: 2005/05/29 15:10:02
by NathanZook
I sent a link to the above note to the maintainer of succeed_if (an employee of Prominent North American Enterprise Linux Vendor (tm)). He kindly & rapidly pointed me to the use_uid option for succeed_if. :-D I now have precisely the behavior I desire with the following /etc/pam.d/kppp file:

auth sufficient debug use_uid user ingroup dialout
auth sufficient
auth sufficient
auth required service=system-auth
session optional
# session optional
account required

NOTE THE COMMENTING OUT OF THE session timestamp line! Failure to comment out this line will give root priveleges to all members of dialout!

I have not experimented with making the session timestamp line into a final auth timestamp line.