6346 – There is no way to restrict login access to specific hosts / user combinations

Bug 6346 - There is no way to restrict login access to specific hosts / user combinations

Summary: There is no way to restrict login access to specific hosts / user combinations

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Web Access (show other bugs)
Version:	1.3.1
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.10.0
Assignee:	Henrik Andersson

URL:
Keywords:	ossman_tester, relnotes

Duplicates (1):	7142 (view as bug list)
Depends on:
Blocks:

Reported:	2017-04-18 15:30 CEST by Pierre Ossman
Modified:	2018-06-13 11:12 CEST (History)
CC List:	2 users (show)

See Also:
Acceptance Criteria:	- Full support for fine grained access control using user, group and network focused of using the pam_access.so PAM module. - PAM_RHOST should be set with the IP address of the remote end of communication. This means that if Web access is reached a through NAT setup, the IP address of firewall is used. - Update of release notes

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio

2017-04-18 15:30:17 CEST

We don't send along the remote host to PAM when authenticating a user in Web Access. This prevents logging and using things like pam_access.so.

pamtester seems to have an argument for this, so it might be an easy fix.

Comment 4 Pierre Ossman cendio

2018-04-18 13:43:53 CEST

*** Bug 7142 has been marked as a duplicate of this bug. ***

Comment 6 Henrik Andersson cendio

2018-06-05 10:34:14 CEST

Problem description:

When using the native client which uses SSH for authentication one can use it's
mechanisms to restrict who can login based on from where using the
'AllowedUsers' in SSHD configuration.

This is not possible with ThinLinc Web Access client.

Comment 8 Pierre Ossman cendio

2018-06-12 14:22:39 CEST

> - Full support for fine grained access control using
>   user, group and network focused of using the 
>   pam_access.so PAM module.
> 

Works well. I set up the following rules:

+:tltest:::1
-:tltest:ALL
+:ALL:10.0.0.0/8
+:ALL:::ffff:10.0.0.0/104
-:ALL:ALL

And the result was that tltest could only log on via localhost, not any external address. Everyone else could log on fine as long as they came from the local network.

> - PAM_RHOST should be set with the IP address of the 
>   remote end of communication. This means that if Web 
>   access is reached a through NAT setup, the IP address 
>   of firewall is used.
> 

I can see the remote host set correctly in the logs:

> Jun 12 14:04:54 ossman pamtester[11660]: pam_unix(thinlinc:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:10.47.1.240  user=tltest
> Jun 12 14:05:21 ossman pamtester[11709]: pam_unix(thinlinc:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::1  user=tltest

Before it was just empty:

> Jun 12 13:48:45 ossman pamtester[9499]: pam_unix(thinlinc:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=tltest


> - Update of release notes

Looks good, but it is not in the web access specific section.

Note You need to log in before you can comment on or make changes to this bug.