Bug 6346 - There is no way to restrict login access to specific hosts / user combinations
Summary: There is no way to restrict login access to specific hosts / user combinations
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Web Access (show other bugs)
Version: 1.3.1
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.10.0
Assignee: Henrik Andersson
URL:
Keywords: ossman_tester, relnotes
: 7142 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-04-18 15:30 CEST by Pierre Ossman
Modified: 2018-06-13 11:12 CEST (History)
2 users (show)

See Also:
Acceptance Criteria:
- Full support for fine grained access control using user, group and network focused of using the pam_access.so PAM module. - PAM_RHOST should be set with the IP address of the remote end of communication. This means that if Web access is reached a through NAT setup, the IP address of firewall is used. - Update of release notes


Attachments

Description Pierre Ossman cendio 2017-04-18 15:30:17 CEST
We don't send along the remote host to PAM when authenticating a user in Web Access. This prevents logging and using things like pam_access.so.

pamtester seems to have an argument for this, so it might be an easy fix.
Comment 4 Pierre Ossman cendio 2018-04-18 13:43:53 CEST
*** Bug 7142 has been marked as a duplicate of this bug. ***
Comment 6 Henrik Andersson cendio 2018-06-05 10:34:14 CEST
Problem description:

When using the native client which uses SSH for authentication one can use it's
mechanisms to restrict who can login based on from where using the
'AllowedUsers' in SSHD configuration.

This is not possible with ThinLinc Web Access client.
Comment 8 Pierre Ossman cendio 2018-06-12 14:22:39 CEST
> - Full support for fine grained access control using
>   user, group and network focused of using the 
>   pam_access.so PAM module.
> 

Works well. I set up the following rules:

+:tltest:::1
-:tltest:ALL
+:ALL:10.0.0.0/8
+:ALL:::ffff:10.0.0.0/104
-:ALL:ALL

And the result was that tltest could only log on via localhost, not any external address. Everyone else could log on fine as long as they came from the local network.

> - PAM_RHOST should be set with the IP address of the 
>   remote end of communication. This means that if Web 
>   access is reached a through NAT setup, the IP address 
>   of firewall is used.
> 

I can see the remote host set correctly in the logs:

> Jun 12 14:04:54 ossman pamtester[11660]: pam_unix(thinlinc:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:10.47.1.240  user=tltest
> Jun 12 14:05:21 ossman pamtester[11709]: pam_unix(thinlinc:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::1  user=tltest

Before it was just empty:

> Jun 12 13:48:45 ossman pamtester[9499]: pam_unix(thinlinc:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=tltest


> - Update of release notes

Looks good, but it is not in the web access specific section.

Note You need to log in before you can comment on or make changes to this bug.