Re: User authentication problem (suspect PAM)

To: Louis Guillaume <louis%zabrico.com@localhost>, NetBSD Users Mailing List <netbsd-users%netbsd.org@localhost>
Subject: Re: User authentication problem (suspect PAM)
From: John Nemeth <jnemeth%cue.bc.ca@localhost>
Date: Sat, 3 Jan 2015 18:31:06 -0800

On Jan 3,  3:34am, Louis Guillaume wrote:
} 
} I have a terrible authentication problem going on with a mail server. 
} This is part of a massive spam attack I've been dealing with since ~ 
} Dec. 23rd. I'm posting here because I believe the problem is with PAM:
} 
} This is and i386 machine running netbsd-6 from mid-November '14.
} I'm using the following packages from pkgsrc-2014Q3:
} 
} 
}    sendmail-8.14.9nb3
}    cyrus-sasl-2.1.26nb4
}    cyrus-saslauthd-2.1.26nb3
}    pam-ldap-186nb5
}    openldap-client-2.4.39nb1
} 
} The problem goes like this:
} 
} The user's email account, all of a sudden started being used to relay 
} spam. A LOT of spam! It looked like the password was guessed. So I 
} changed the password in the LDAP server (the only place there is a 
} password for this user). But the spamming continued. The only way to 
} cause the authentication to fail is by deleting the local user on the 
} mail host.
} 
} Here's a little more about the setup:
} 
}    o Sendmail is authenticating users using saslauthd
}    o saslauthd is using PAM
}    o PAM is using pam-ldap with this setup in /etc/pam.d/smtp
} 
} auth            required        pam_nologin.so          no_warn
} auth            sufficient      pam_ldap.so             try_first_pass
} auth            include         system
} 
} 
} Using "testsaslauthd" works fine for authenticating users and everyone 
} seems to have no trouble.
} 
} It's just this one user that is magically authenticated with whatever 
} credentials the spammer is sending - and I have NO IDEA what the spammer 
} is sending. If I change the password and don't tell anyone, it still 
} authenticates! But only with this user and account.
} 
} It was suggested that saslauthd was caching the credentials, but after 
} restarting the whole machine (not just saslauthd) the problem persists.
} 
} So to sum up:
} 
}    o All the pieces work fine together, normally.
}    o Authentication using LDAP succeeds where it should.
}    o Saslauthd does it's thing with no problem.
}    o Sendmail does it's thing with no problem.
} 
}    o Because it takes deleting the local user account to make the
}      problem go away, I am led to believe that the failure is with
}      PAM. I think that, when pam_ldap.so fails, it tries the system
}      config and for some reason it authenticates the user.

     Yes, of course, since that's exactly what you're telling it
to do.  From "man pam.conf":

     sufficient  If this module succeeds, the chain is broken and the result
                 is success.  If it fails, the rest of the chain still runs,
                 but the final result will be failure unless a later module
                 succeeds.

What the system config does is unknown, since you didn't show it.

}-- End of excerpt from Louis Guillaume

Follow-Ups:
- Re: User authentication problem (suspect PAM)
  - From: Louis Guillaume

References:
- User authentication problem (suspect PAM)
  - From: Louis Guillaume

Prev by Date: Re: User authentication problem (suspect PAM)
Next by Date: Re: User authentication problem (suspect PAM)
Previous by Thread: Re: User authentication problem (suspect PAM)
Next by Thread: Re: User authentication problem (suspect PAM)
Indexes:

Home | Main Index | Thread Index | Old Index