I've got a problem with a proxy configuration. We have an LDAP group that lists all users who are authorised to use the proxy to FTP (usually Filezilla) out to the world, and by implication those not in the group should be denied. My users are delighted that this has been enabled and those that wish to get out can do so, however we're not stopping anyone not in the group (and therefore not authorised)
We found this out because I'm not authorised but whilst troubleshooting for a user I connected out no problem. That ended up being a user password problem, so they failed the LDAP check and so PAM prevented the connection.
I haven't got a test server so I will have to get a slot outside business hours (which will be a nightmare in itself) to try out my thoughts but I wanted to sanity check it first. The server is running CentOS The proxy server is SOCKS in /usr/sbin/ss5 and running as the root user.
My suspicion is about the PAM file, /etc/pam.d/ss5 and the way it has been set up. We have this:-
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
auth required pam_wheel.so use_uid group=SocksUsers
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
My theory is that the line defining the allowed group also includes the use_uid option and given that the ss5 daemon is running as the super-user everyone is automatically authenticated. There is a proxy authentication required, but messages is /var/log/secure give me this when I authenticate to the proxy correctly and give invalid credentials to an internet-based FTP site:-
Nov 28 15:03:14 gateway-b ss5: pam_unix(ss5:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=donald.trump
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): getting password (0x00000008)
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): pam_get_item returned a password
Nov 28 15:03:14 gateway-b ss5: pam_winbind(ss5:auth): user 'donald.trump' granted access
Yes, some Windoze joker created me a test account with that name. Sorry about that. No political persuasion inferred, naturally - I'm British after all.
Before I try to get a slot, does anyone want to contradict my theory? I'd be grateful for avoiding unnecessary effort if I've gone off on the wrong track.
Many thanks, in advance,
Robin