www.cendio.com

Bug 6346

Summary: There is no way to restrict login access to specific hosts / user combinations
Product: ThinLinc Reporter: Pierre Ossman <ossman@cendio.se>
Component: Web AccessAssignee: Henrik Andersson <hean01@cendio.se>
Status: CLOSED FIXED QA Contact: Bugzilla mail exporter <bugzilla-qa@cendio.se>
Severity: Normal    
Priority: P2 CC: astrand@cendio.se, hean01@cendio.se
Version: 1.3.1Keywords: ossman_tester, relnotes
Target Milestone: 4.10.0   
Hardware: PC   
OS: Unknown   
Acceptance Criteria:
- Full support for fine grained access control using user, group and network focused of using the pam_access.so PAM module. - PAM_RHOST should be set with the IP address of the remote end of communication. This means that if Web access is reached a through NAT setup, the IP address of firewall is used. - Update of release notes

Description From cendio 2017-04-18 15:30:17
We don't send along the remote host to PAM when authenticating a user in Web
Access. This prevents logging and using things like pam_access.so.

pamtester seems to have an argument for this, so it might be an easy fix.
------- Comment #4 From cendio 2018-04-18 13:43:53 -------
*** Bug 7142 has been marked as a duplicate of this bug. ***
------- Comment #6 From cendio 2018-06-05 10:34:14 -------
Problem description:

When using the native client which uses SSH for authentication one can use it's
mechanisms to restrict who can login based on from where using the
'AllowedUsers' in SSHD configuration.

This is not possible with ThinLinc Web Access client.
------- Comment #8 From cendio 2018-06-12 14:22:39 -------
> - Full support for fine grained access control using
>   user, group and network focused of using the 
>   pam_access.so PAM module.
> 

Works well. I set up the following rules:

+:tltest:::1
-:tltest:ALL
+:ALL:10.0.0.0/8
+:ALL:::ffff:10.0.0.0/104
-:ALL:ALL

And the result was that tltest could only log on via localhost, not any
external address. Everyone else could log on fine as long as they came from the
local network.

> - PAM_RHOST should be set with the IP address of the 
>   remote end of communication. This means that if Web 
>   access is reached a through NAT setup, the IP address 
>   of firewall is used.
> 

I can see the remote host set correctly in the logs:

> Jun 12 14:04:54 ossman pamtester[11660]: pam_unix(thinlinc:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:10.47.1.240  user=tltest
> Jun 12 14:05:21 ossman pamtester[11709]: pam_unix(thinlinc:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::1  user=tltest

Before it was just empty:

> Jun 12 13:48:45 ossman pamtester[9499]: pam_unix(thinlinc:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=tltest


> - Update of release notes

Looks good, but it is not in the web access specific section.