Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PAM_SUCCESS returned for non-duo users instead of PAM_IGNORE #244

Open
st0rmi opened this issue Mar 2, 2023 · 8 comments
Open

PAM_SUCCESS returned for non-duo users instead of PAM_IGNORE #244

st0rmi opened this issue Mar 2, 2023 · 8 comments

Comments

@st0rmi
Copy link

st0rmi commented Mar 2, 2023

Summary

The pam_duo module returns PAM_SUCCESS when encountering a user that is not part of the configured groups. I believe it would be better to return PAM_IGNORE instead in these cases.

We are using pam_duo as the only authentication factor for using sudo (we use SSH keys for logon) and are therefore configuring pam_duo as sufficient. This, however, also allows all other users with sudo permissions to bypass password authentication, as PAM_SUCCESS is returned for them

Steps to reproduce

Authenticate as a user that is not configured for pam_duo.

Specs

Tested on Ubuntu 22.04 amd64, but should be the same across all OSes supported by pam_duo.

@AaronAtDuo
Copy link
Contributor

@st0rmi Just to make sure I'm looking at the right place, you are talking about the return value at https://github.com/duosecurity/duo_unix/blob/master/pam_duo/pam_duo.c#L221? Where if the user doesn't match any groups we return PAM_SUCCESS?

@st0rmi
Copy link
Author

st0rmi commented Mar 2, 2023

@AaronAtDuo Yup, that's the line that I believe is the culprit. I am not 100% sure, but I believe a PAM_IGNORE might be better here.

@AaronAtDuo
Copy link
Contributor

@st0rmi This seems like a reasonable idea. The tricky part is that if we release with this change, it could alter the behavior of existing PAM stacks, possibly even opening security vulnerabilities if people aren't expecting it.

Off the top of my head, the safest way to deal with that problem feels like we should keep the old behavior as default but allow (probably by config) an opt-in to the new behavior. I'm worried that hardly anyone will opt in to the new behavior though, somewhat undermining the effectiveness of updating it...

@st0rmi
Copy link
Author

st0rmi commented Mar 7, 2023

@AaronAtDuo That such a change might break existing PAM configurations was a concern I had as well. I think handling this behavior via config is probably the safest option. It might also be an option to take the "fail safe"/"fail secure" config that already exists for other behaviors into account.

@Xaraxia
Copy link

Xaraxia commented Mar 13, 2023

We do some shenanigans on our site to ensure we don't go through DUO for non-DUO users at all, specifically because of this problem. So +1 from here.

@st0rmi
Copy link
Author

st0rmi commented Apr 21, 2023

It could also be an option to initially make this a non-default configuration (i.e. user has to manually set this behavior in the config file) and then change it to be the default behavior during the next major version update.

I could go ahead and create a PR for this, unless you need some more time to discuss this change internally first. What are your thoughts on this?

@AaronAtDuo
Copy link
Contributor

Interesting - looks like about 8 years ago we had the same thought, but reverted it
3eb3e35

@Xaraxia
Copy link

Xaraxia commented Dec 1, 2023

By the PAM semantics, however, the commit AaronAtDuo mentions above was correct prior to the change. I note this makes it difficult to manage with the DUO config instead of inside PAM (it's certainly possible to bypass based on group with PAM, because that's what I'm doing now, but I acknowledge it makes the config more complicated).

Can I second a config option, please? I understand why the default behaviour is designed to support your DUO configuration, but for those people who have multiple MFA stacks it matters. There are complex reasons why we have multiple MFA stacks and it's not an option to use DUO for certain users. At the moment I have to put all DUO users into a posix group and detect that group, otherwise bypass DUO.

The alternative to a config option is to change your documentation so that people who want to use the DUO config have to use [ ignore=ok ]. That should result in the same behaviour that you have now (as [success=ok] in a standard PAM stack). Then you can return ignore. This does require a config change on the client side and would need more communication of the change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants