xesite/talks/surreal-horror-pam-2021-11-...

266 lines
14 KiB
Markdown
Raw Normal View History

---
title: The Surreal Horror of PAM
date: 2021-11-09
slides_link: /static/talks/surreal-horror-pam.pdf
tags:
- alpinelinux
- pam
- satire
---
<iframe width="1043" height="587" src="https://www.youtube.com/embed/INjCiHUIjgg" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
[https://youtu.be/INjCiHUIjgg](https://youtu.be/INjCiHUIjgg)
---
![](/static/talks/surreal-horror-pam/001.jpeg)
Hi, Im Xe. You know this because that is what your computer tells you. But how
does it know that?
This is a partially satirical talk. It is intended to be mostly factually
accurate, however some of the details are stretched for comedic effect. This
talk may contain opinions, none of these opinions are the opinions of my
employer. I hope you enjoy this catharsis.
You may want to make sure you all are muted, as this is probably going to make
you laugh and Ill get speech jammed if I hear it. Im also planning on
publishing this publicly, so please avoid mentioning privileged information in
the Q&A section at the end.
![](/static/talks/surreal-horror-pam/002.jpeg)
So before we talk about complicated things, lets start with the basics. This is
how UNIX systems authenticate. They have some files in /etc/ that are
effectively plaintext databases for usernames, ids, groups and password hashes,
and those are what are used for this legacy authentication flow.
You start with a login program running as root (such as /bin/login) and then it
gets your username and password. Then it checks /etc/passwd to see if your user
account exists. If it does it grabs the user ID and uses that to look up more
information from /etc/groups to build up your dossier. Then it takes your
password and does some crazy math to it to compare it to the hashed password in
/etc/shadow. If it matches (or if someone forces it to match through malicious
means), then the login program forks a child process, impersonates your user
account based on that dossier from earlier, creates a login shell and finally
sends you off to do whatever it is you want to the poor computer.
Thats it. Thats how the classic System V authentication stack works.
Technically Im stretching things a bit as /etc/shadow was a fairly recent
addition (mostly because /etc/passwd is world-readable by design for some arcane
reason that I cant find on Google), but its basically that. Theres a few
steps Im leaving out for brevity, but they are boring things that only nerds
care about.
![](/static/talks/surreal-horror-pam/003.jpeg)
This UNIX authentication model is really that simple. You can explain the high
level details on a single slide that was hastily written at 8 am in about 5
minutes. However, because of this simplicity it leaves attackers with a small
list of targets to try to trick the computer into mucking with. But it does
work, mostly.
Some of the huge downsides are that it only works on one machine at the time.
This made sense for when UNIX was created as the model was to have a big ol
mainframe for a company and then have everyone connect to it, but in the
meantime weve gone around carrying supercomputers in our watches and always
having a calculator in our pockets (Miss Van Hamme, you should have been more
forward thinking than to insinuate otherwise in my second grade math class!).
Because of this (and the fact that said supercomputer watches also run a full
fledged UNIX kernel), we cant really rely on a model created for 1970s
mainframe technology to get the job done in this day and age of hyperconverged
cloud federated femtoservices.
![](/static/talks/surreal-horror-pam/004.jpeg)
The last sentence probably set off the beard twitching alarms, so yes there are
some workarounds here.
You could JUST put the files on a network filesystem. That would make them
immutable to whoever tries to mess with them on an individual machine. However
the peak of network filesystem security on Linux is “dont get your network
hacked lol”. They wont add the ability for a kernel mode filesystem driver to
make TLS validated sessions so you can use this thing called cryptography to
secure access to the filesystem and data on the wire. They are busy arguing with
people about how to send plain-text email and the like. You could also put those
files on a CD, set the immutable flag or something, but all that will do is
making changing passwords more expensive, annoying and filled with anger.
![](/static/talks/surreal-horror-pam/005.jpeg)
Whats that? I think I hear something coming.
![](/static/talks/surreal-horror-pam/006.jpeg)
Its sshd! Turns out that we do in fact need something more complicated because
we have networks and the cloud and complicated mutifactor auth requirements for
acronym compliance! We cant really do that with UNIX authentication because it
was designed before such things were even a glimmer in the eye of security
professionals.
Surely there has to be a better option out there _somewhere_.
![](/static/talks/surreal-horror-pam/007.jpeg)
Et voila! Cest le PAM! Turns out someone else a long time ago had the same
problems and somehow got legal to sign off on making it open source! PAM is a
modular system for making authentication and authorization work.
![](/static/talks/surreal-horror-pam/008.jpeg)
For reference, authentication and authorization are being split up into two
concepts here (like they are in a lot of the industry). Were gonna take a page
out of the white hats guide to security here and call these concepts
authentication (who you are and how we know who you are) and authorization (can
you _really_ take all the money out of the bank account?). It is a solid 90s
solution to a 70s problem and good god it shows.
![](/static/talks/surreal-horror-pam/009.jpeg)
PAM was made in the 90s by this little startup nobody here has heard of called
Sun Microsystems. They had a problem where they had a bunch of machines to apply
complicated authentication rules to (all thanks to those pesky enterprise
contracts) and no way to really do it. Money won this valiant fight between
engineering and sales, so we ended up with PAM.
![](/static/talks/surreal-horror-pam/010.jpeg)
So youre probably wondering something along the lines of “how does this thing
work?”. Carefully, that's how.
![](/static/talks/surreal-horror-pam/011.jpeg)
This is a screenshot of a text file (a common thing to do these days) of the
main PAM configuration file in a distribution called Alpine Linux. Im using
Alpine Linux here because it is the simpler option for getting PAM to work and I
really do not want to spend all day debugging PAM with gdb and strace on Ubuntu
to demonstrate it with that. PAM has a few kinds of modules:
* authentication, this is not just checking your password, but also making sure
that your account is allowed to be logged into and setting up things like your
preferred login shell
* account, the things that assign a user an account based on the circumstances
of their authentication or validate that somehow (this is also where an LDAP
server would get thrown into the mix if you really hate yourself)
* password, the things that check passwords or do other kinds of validation like
that (if you want to use Google Authenticator TOTP codes, youd do that here)
* session, these things handle other system errata like making sure the
message-of-the-day (MOTD) is shown when you log in or letting logind know
about the session so it can make a cgroup for you
All of these modules are implemented as dynamically linked libraries in C (the
HEIGHT of modern programming security, as we all know) and PAM works by loading
all of these files out of /lib/security, throwing them directly into ram and
then executing arbitrary C ABI functions out of them to see what they return.
Yes, really. I am still surprised that the modules are written in C and not Java
given it was from Sun.
If you typo this configuration file and dont have a root session open with your
box, it is even worse than typoing the /etc/sudoers file. Typoing /etc/sudoers
will just make it impossible to use sudo. Your system can limp along in the
meantime or you can directly login as root or something to mend the situation,
but typoing the PAM file will cause glibc to hold your wife and children hostage
until you forcibly reboot the system and hack back into it so you can regain
control.
![](/static/talks/surreal-horror-pam/012.jpeg)
How is this relevant to us? Well, I have a bit of a side project going on. Ive
been trying to write a PAM module that would use Tailscale as its authentication
method.
When you are on a Tailscale network, you are already past a two-factor auth
trust barrier. If we know who you are, and you are authorized to connect to the
server by its ACLs, why should we subject you to the surreal horror of local
authentication logic in order to let you SSH into the server? We know who you
are. Youre allowed to connect to it, so why stop you?
![](/static/talks/surreal-horror-pam/013.jpeg)
The heart of the PAM module Ive been writing looks like this right now. It sets
up syslog for its log sink (this is really your only good option in PAM land)
with a syslog client, grabs the status of the network from tailscaled, and
finally makes sure that the IP address is in the tailnet. This probably should
be more complicated in the future, Ive had ideas for sending a TSMP message to
the source machine to prompt you with a “are you sure you want to do that” style
message, but they are just ideas right now. But yes, the rest is a bunch of
random boilerplate code to deal with PAMs complexities, making sure that the C
ABI functions are exposed correctly and other helpers to grab things from
tailscaled with unix sockets.
[https://github.com/tailscale/pam](https://github.com/tailscale/pam)
This is written in Rust because I personally believe that writing security
critical components that we would ship with the operating system in C is a
massive disservice to our users. Go also doesnt really have a good story to do
interoperability with core C system components like this (the Go runtime is
_massive_ and as of writing this post the entire PAM module Ive written is
smaller than the Go runtime, even with a statically compiled copy of libcurl).
Plus I also get to use this to point out the little question mark at the end of
the third line of this code blurb. See that question mark? It is an “if err !=
nil, return nil, err” statement. Its handled at compile time and it will even
return the Ok side of the result if there is one. God I understand why Go cant
have that nice thing but it would take at least 7 lines of code out of my
keyboard firmware if we had that nice thing in Go (not to mention countless
editor macros for other people).
If you want to peek around the C module part of the PAM project, the QR code
will take you there.
![](/static/talks/surreal-horror-pam/014.jpeg)
Im fairly sure that I can get away with this (I made my appropriate sacrifices
to the demo gods this morning), so lets try SSHing into a VM on my laptop. If
you are watching the recording of this talk or you are not in the corp tailnet,
that command will not work. However you should see something like this:
![](/static/talks/surreal-horror-pam/015.jpeg)
It would be really cool to flesh this out as a full product. I feel this could
really make peoples lives a lot easier. The hard part is going to be making
sure that this absolutely has security experts pore over this to make sure that
this is _actually_ safe. Im fairly sure that it is safe as it is, but right now
this is an uberhammer that lets you log in as root if you get SSH access to a
system. I would love to have this send a TSMP message to have a GUI prompt
validate that you want to do this as a kind of second factor for authentication,
but even in this limited state I feel it has a lot of value as is.
![](/static/talks/surreal-horror-pam/016.jpeg)
Something you may wonder (and something I had to wonder too) is how do you debug
PAM?
![](/static/talks/surreal-horror-pam/017.jpeg)
It aint easy. Im currently trying to get this thing to work on Ubuntu and all
of the paths I have taken are fraught with despair. I have luckily not managed
to lock myself out of the system yet, but it is really fighting me. You know
youre in for a ride when obscure PDFs of ring-binder manuals that have been
poorly maintained tell you to do things that literally do not exist anymore.
Ive had to use a combination of a debugger and a system call tracing tool to
get anywhere with it. PAM is a surreal horror because the most terrifying part
is that it works and that theres not really any good other options.
![](/static/talks/surreal-horror-pam/018.jpeg)
This is not OpenBSD or Plan 9. This is Linux and macOS. Those exist but we cant
use them because we are cursed into using PAM. Especially so if we want to do
this on arbitrary customer machines.
![](/static/talks/surreal-horror-pam/019.jpeg)
Thats the end of the talk! I want to give special thanks to the council of
elders that I summoned the help of in order to get this far. Without their help
(and at least 800 bing points worth of searching) I would have never been able
to understand this at all. If you have any questions, you can ask them now; just
remember that you probably are still on mute.
---
As a note to people who are reading: if you want my wit, charm and/or smarmy
style to grace your conference of choice, please [get in contact with
me](/contact) and I'll see what I can do to make it happen.