Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

SSH, pam, & pam_iptables: pam/ssh gods please help!
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Cheesefoam
Tux's lil' helper
Tux's lil' helper


Joined: 02 Jan 2003
Posts: 89
PostPosted: Wed Sep 29, 2004 4:39 pm    Post subject: SSH, pam, & pam_iptables: pam/ssh gods please help! Reply with quote
I've installed pam_iptables as a basic firewall authentication mechanism, piggybacking it off of ssh logins. Everything works fine as far as logging in and inserting a new rule into the firewall, but when the user logs out, the firewall rule is not removed.

I did some heavy modification to the script to find out what is going on and to address a couple of issues I have with the original insFwall script shipped with pam_iptables. What I have been able to determine is that when the user logs in, the insFwall script is executed as root, but on logout the script is executed under the user's credentials. A look at the relevant log lines in my syslog reveals as much:

Code:

Sep 29 08:22:39 Shoggoth sshd[13623]: Accepted password for jwarren from xx.xx.xx.xx port 1045 ssh2
Sep 29 08:22:40 Shoggoth logger: PAM-IPTABLES(root): Action = I, Search Status = 1, TTY = ssh
Sep 29 08:22:40 Shoggoth logger: PAM-IPTABLES: User jwarren logging in.  Checking for existing rules.
Sep 29 08:22:40 Shoggoth logger: PAM-IPTABLES: IP of user jwarren from xx.xx.xx.xx NOT in iptables.  Adding rule.
Sep 29 08:22:40 Shoggoth PAM-iptables[13625]: Rule put in place.
Sep 29 08:22:40 Shoggoth sshd(pam_unix)[13625]: session opened for user jwarren by (uid=0)
Sep 29 08:22:45 Shoggoth sshd(pam_unix)[13625]: session closed for user jwarren
Sep 29 08:22:45 Shoggoth logger: PAM-IPTABLES(jwarren): Action = D, Search Status = 1, TTY = pts/0
Sep 29 08:22:45 Shoggoth logger: PAM-IPTABLES: User jwarren logging out.  jwarren currently has 1 session(s) open.
Sep 29 08:22:45 Shoggoth logger: User has only one SSH session active.  Proceeding to delete firewall rule.


The relavent lines are the third and eighth line, where I tossed a `whoami` into the logging script to find out who was executing the script.

My question is: Why is this happening, and is there any way to fix it? I currently work around this problem by doing scheduled flushes and reloads of my firewall with a default set of rules, getting rid of all of the inserted rules.

I tried briefly (and I know it is an egregious security risk), doing a setuid on the insFwall script to see if that was the problem, but it is not - it is because the user cannot (and rightly so!) execute iptables to modify the firewall.

Any suggestions?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy