GCE OSLogin module: init #51566

adisbladis · 2018-12-05T13:29:43Z

Motivation for this change

TODO

get Disable nscd caching #50316 merged, rebase on master
fix sudo
integrate with gke profiles
add to release notes

Things done

nixos/modules/security/pam.nix

flokli · 2018-12-06T15:32:14Z

cc @arianvp I cherry-picked commits from #50316 in here as well.

flokli · 2018-12-06T15:34:17Z

so far, logging in using the snakeoil ssh keys works, but there is some pam weirdness going on:

server# [   11.598934] systemd[1]: Starting User Manager for UID 1009719691...
server# [   11.626640] systemd[851]: PAM unable to resolve symbol: pam_sm_authenticate
server# [   11.628612] systemd[851]: PAM unable to resolve symbol: pam_sm_setcred
server# [   11.632156] systemd[851]: PAM unable to resolve symbol: pam_sm_open_session
server# [   11.634596] systemd[851]: PAM unable to resolve symbol: pam_sm_close_session

I guess, that's the reason fro why pam_oslogin_admin does not create the sudoers config file in /run/google-sudoers.d/mockadmin to allow mockadmin to sudo, which is why the test currently is failing.

nixos/modules/config/nsswitch.nix

flokli · 2018-12-06T15:43:09Z

nixos/modules/security/google_oslogin.nix

+      #includedir /run/google-sudoers.d
+    '';
+    systemd.tmpfiles.rules = [
+      "d /run/google-sudoers.d 660 root root -"


The - for age means systemd will create the directory with mentioned permissions and ownership, but not automatically clean up anything.

I moved that from /var/google-sudoers.d (and patched pam_module/pam_oslogin_admin.cc), as that location seemed much more suitable for runtime files.

pam_oslogin_admin.cc has code to clean up existing files if admin status is revoked, it's just a more meaningful location (and cleans up expired users on a reboot)

nixos/modules/security/google_oslogin.nix

nixos/modules/security/pam.nix

nixos/doc/manual/release-notes/rl-1903.xml

flokli · 2018-12-06T16:09:42Z

cc @Assassinkin @matthewbauer for other recent pam contributions

adisbladis · 2018-12-06T16:55:04Z

@flokli Could you squash the fixup commits? I don't mind you force-pushing to my fork.

flokli · 2018-12-06T17:16:23Z

I'd still like to get the TODOs fixed and #50316 merged before rebasing again.

Any ideas about the " PAM unable to resolve symbol:" errors?

flokli · 2018-12-12T14:16:32Z

Finally got sudo working - culprit was the pam_unix.so module configured wrongly in NixOS (see 04bf65e5ab26634aa5981a4762f70635d129daa0) for a detailed explanation.

This was fixed for sssd only in #31969, @dezgeg, @PsyanticY, can you have a look at 04bf65e5ab26634aa5981a4762f70635d129daa0, too?

adisbladis · 2018-12-12T16:07:33Z

Things seems to be working great now! Thanks @flokli for all the good work.

PsyanticY · 2018-12-12T16:14:32Z

@flokli I think it should be like that for all module not just sssd. account required pam_unix.so. when i fixed that for SSSD I mentioned that it should be like this for all modules but i thought maybe there was some use case for it being sufficient in nixos even thought all the other disto use required

PsyanticY · 2018-12-12T16:18:30Z

Even this part

          ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
               "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
           ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess)
              "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}

it should not be sufficient. I would suggest removing the sssdStrictAccess option and swapping sufficient with this [default=bad success=ok user_unknown=ignore] .

flokli · 2018-12-12T17:22:24Z

Reading up on https://wiki.debian.org/LDAP/PAM, it seems this should at least work if all these 'external' pam modules provide an nss module, too. There are other examples on what can/should be done instead - but it seems to be very a combinatory hell.

Maybe we should limit the pam module to only allow one external pam module (sssd/ldap/oslogin/kerberos) to be active, and check configuration for them?

@PsyanticY

Having pam_unix set to "sufficient" means early-succeeding account management group, as soon as pam_unix.so is succeeding. This is not sufficient. For example, nixos modules might install nss modules for user lookup, so pam_unix.so succeeds, and we end the stack successfully, even though other pam account modules might want to do more extensive checks. Other distros seem to set pam_unix.so to 'required', so if there are other pam modules in that management group, they get a chance to do some validation too. For SSSD, @PsyanticY already added a workaround knob in NixOS#31969, while stating this should be the default anyway. I did some thinking in what could break - after this commit, we require pam_unix to succeed, means we require `getent passwd $username` to return something. This is the case for all local users due to the passwd nss module, and also the case for all modules installing their nss module to nsswitch.conf - true for ldap (if not explicitly disabled) and sssd. I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss module loaded? Should the pam account module be placed before pam_unix? We don't drop the `security.pam.services.<name?>.sssdStrictAccess` option, as it's also used some lines below to tweak error behaviour inside the pam sssd module itself (by changing it's 'control' field). This is also required to get admin login for Google OS Login working (NixOS#51566), as their pam_oslogin_admin accounts module takes care of sudo configuration.

…|Authentication)

The OS Login package enables the following components: AuthorizedKeysCommand to query valid SSH keys from the user's OS Login profile during ssh authentication phase. NSS Module to provide user and group information PAM Module for the sshd service, providing authorization and authentication support, allowing the system to use data stored in Google Cloud IAM permissions to control both, the ability to log into an instance, and to perform operations as root (sudo).

….security.googleOsLogin.enable is set

…-accounts-daemon Use googleOsLogin for login instead. This allows setting users.mutableUsers back to false, and to strip the security.sudo.extraConfig. security.sudo.enable is default anyhow, so we can remove that as well.

flokli · 2018-12-21T17:19:25Z

With #52488 being merged, this should be good to go, too.

adisbladis requested a review from infinisil as a code owner December 5, 2018 13:29

GrahamcOfBorg added 6.topic: nixos 8.has: module (update) 8.has: package (new) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 labels Dec 5, 2018

zimbatm reviewed Dec 5, 2018

View reviewed changes

nixos/modules/security/pam.nix Outdated Show resolved Hide resolved

flokli force-pushed the google-oslogin branch from e559972 to 7133576 Compare December 6, 2018 15:31

GrahamcOfBorg added 8.has: changelog 8.has: documentation labels Dec 6, 2018

flokli force-pushed the google-oslogin branch 2 times, most recently from 8bcdab3 to e8dff53 Compare December 6, 2018 15:38