[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Credentials Caching - Security Guy Not Happy

From: Patrick Smears <patrick.smears_at_ensoft.co.uk>
Date: 2004-08-26 13:13:31 CEST

> Max Bowsher maxb-at-ukf.net |Lists| wrote:
> > I haven't done it myself, but I'd be surprised if there wasn't a way
> > to gat PAM (and therefore ssh, and therefore svn+ssh) authenticating
> > against the AD.
>
> Patrick Smears patrick.smears-at-ensoft.co.uk |Lists| wrote:
> > I was just about to suggest this... I don't have much
> experience with
> > AD, but it's certainly fairly easy to have SSH authenticate against
> > an NT domain... look up the "pam_smb.auth.so" PAM module.
>
> ssh without ssh-add, yes. But that would require password
> prompting on
> every operation just like for http://
>
> But not ssh-agent. ssh-agent asks for the password embedded in
> the (local) private key file, not the one stored in
> /etc/password or in
> PAM or whereever on the remote machine. If the key file has a
> password,
> no amount of Active Directory will open it without the
> password, and if
> the key file doesn't have a password, it would be possible to use it
> without any Active Directory checking.

You are right - clearly it's too early in the morning for me to be posting
:-). But this might suggest a possible way towards solving the problem: the
original poster needs a solution where access can be revoked on the central
Active Directory server. It may be possible to modify pam_smb_auth.so so
that, rather than requiring a username/password, it simply checks whether
the account exists and has not been disabled. But that may be more work than
anyone's prepared to do...

Another potential route to a solution: it's possible (on a Linux machine) to
check whether an account exists and is enabled (in an NT domain) as follows:

  rpcclient -U myname server -c 'samlookupnames domain usertocheck'
  <outputs a line "name usertocheck: 0x123 (1)">
  rpcclient -U myname server -c 'queryuser 0x123'
  <outputs a lot of data, including a line 'acb_info : 0210'

(this could be easily done by a shell script!) The bottom bit of the
'acb_info' number is 1 if the account is disabled (i.e. if the account above
were disabled, it would be '0211' rather than '0210').

Does anyone know if it's possible for PAM and/or sshd to perform
authentication/authorisation based on a shell script?

Alternatively, does installing OpenSSH sshd under Cygwin give what's wanted,
i.e. permit logins by public key only when the user exists in AD?

Patrick

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 26 13:13:55 2004

This is an archived mail posted to the Subversion Users mailing list.