IT - BLOG - ADMIN

Search:
1 / 2

pam_exec.so behaviour

Created: 08.04.2021

Last time I was wondering how passwords are passed between PAM modules. Generally, I wanted the user to be asked for an OTP (verified in vault using app vault-ssh-helper) and a local password (usually checked in /etc/shadow) when logging to the server via ssh.

The PAM configuration should look something like this.

auth required pam_unix.so
auth required pam_exec.so debug expose_authtok log = /var/log/vault-ssh.log /usr/local/sbin/vault-ssh-helper -dev -config=/etc/vault-ssh-helper.d/config.hcl

and sshd_config should also include:

ChallengeResponseAuthentication yes
PermitEmptyPasswords no

Unfortunately, vault-ssh-helper is an application written in GO, not a PAM library. Therefore, it must be run with pam_exec.so. This is where the problem lies. The combination of PAM and SSH works in such a way that the password entered by the user goes to both the pam_unix and pam_exec modules as input. But I want a different behavior. I want pam_unix to ask the user for a password (checked in /etc/shadow) and pam_exec to ask the user for a password (checked in vault with vault-ssh-helper).

The first module - pam_unix, can ask a user for input. But pam_exec cannot. It can only read from stdin, which is the same password user typed and checked before using pam_unix.

Logging in will look (in short version) like that:

  • User generate OTP in vault - example vault write ssh/creds/otp_key_role ip=SERVER_IP
  • User run the ssh SERVER_IP command
  • User is prompted for a password
  • User enters the correct password
  • This password is checked with pam_unix.so with result true
  • The same password next is checked with pam_exec.so /usr/local/sbin/vault-ssh-helper - for obvious reasons such operation will false
  • User is prohibited to log in.

As can be seen, there is no place here for the introduction of the OTP generated before.The only way out of this situation is the following configuration:

auth sufficient pam_unix.so
auth sufficient pam_exec.so debug expose_authtok log = /var/log/vault-ssh.log /usr/local/sbin/vault-ssh-helper -dev -config=/etc/vault-ssh-helper.d/config.hcl

But unfortunately it will not meet my goal. In the example above, the user must provide a password or (not and) an OTP. One of these factors causes logging into the system.


Building ISO - bootable from pendrive + UEFI

Created: 26.01.2020

If you are facing the problem of ISO content modification. You have unpacked everything, changed the content and you can't build a damn working image again with xorriso - I have one pro-tip. You can check the structure of the original ISO and generate commands to build a new one using the command:

xorriso -indev ./kali.iso -report_system_area plain -report_el_torito cmd

Output should look like this:

xorriso 1.5.2 : RockRidge filesystem manipulator, libburnia project.

xorriso : NOTE : ISO image bears MBR with  -boot_image any partition_offset=16
xorriso : NOTE : Loading ISO image tree from LBA 0
xorriso : UPDATE :    1305 nodes read in 1 seconds
xorriso : NOTE : Detected El-Torito boot information which currently is set to be discarded
Drive current: -indev './kali.iso'
Media current: stdio file, overwriteable
Media status : is written , is appendable
Boot record  : El Torito , MBR isohybrid cyl-align-on
Media summary: 1 session, 443744 data blocks,  867m data, 26.7g free
Volume id    : 'Kali Live'
System area options: 0x00000102
System area summary: MBR isohybrid cyl-align-on
ISO image size/512 : 1774976
Partition offset   : 16
MBR heads per cyl  : 64
MBR secs per head  : 32
MBR partition table:   N Status  Type        Start       Blocks
MBR partition      :   1   0x80  0x17           64      1773504
MBR partition      :   2   0x00  0x01      1773568         1408
-volid 'Kali Live'
-volume_date uuid '2018101617103600'
-boot_image isolinux system_area=--interval:imported_iso:0s-15s:zero_mbrpt:'./kali.iso'
-boot_image any partition_cyl_align=on
-boot_image any partition_offset=16
-boot_image any partition_hd_cyl=64
-boot_image any partition_sec_hd=32
-boot_image any mbr_force_bootable=on
-append_partition 2 0x1 --interval:imported_iso:1773568d-1774975d::'./kali.iso'
-boot_image any iso_mbr_part_type=0x17
-boot_image any cat_path='/isolinux/boot.cat'
-boot_image isolinux bin_path='/isolinux/isolinux.bin'
-boot_image any platform_id=0x00
-boot_image any emul_type=no_emulation
-boot_image any load_size=2048
-boot_image any boot_info_table=on
-boot_image any next
-boot_image any efi_path='/boot/grub/efi.img'
-boot_image any platform_id=0xef
-boot_image any emul_type=no_emulation
-boot_image any load_size=720896

Final command to build new iso based on above:

xorriso -outdev ./kali_new.iso -indev ../kali.iso -map CONTENT_OF_ISO / \
-volid 'Kali Live' \ 
-volume_date uuid '2018101617103600' \
-boot_image isolinux system_area=--interval:imported_iso:0s-15s:zero_mbrpt:'../kali.iso' \
-boot_image any partition_cyl_align=on \
-boot_image any partition_offset=16 \
-boot_image any partition_hd_cyl=64 \
-boot_image any partition_sec_hd=32 \
-boot_image any mbr_force_bootable=on \
-append_partition 2 0x1 --interval:imported_iso:1773568d-1774975d::'../kali.iso' \
-boot_image any iso_mbr_part_type=0x17 \
-boot_image any cat_path='/isolinux/boot.cat' \
-boot_image isolinux bin_path='/isolinux/isolinux.bin' \
-boot_image any platform_id=0x00 \
-boot_image any emul_type=no_emulation \
-boot_image any load_size=2048 \
-boot_image any boot_info_table=on \
-boot_image any next \
-boot_image any efi_path='/boot/grub/efi.img' \
-boot_image any platform_id=0xef \
-boot_image any emul_type=no_emulation \
-boot_image any load_size=720896

As you can see, most of the extracted parameters can apply for a new build image. A little tuning with -outdev, -index, map parameters and that's all.


How to build multiple kickstart ISO/USB stick

Created: 04.09.2017

This tutorial describes how to rebuild an image of the CentOS distribution so that you can create multiple kickstart grub menu. Generated ISO IMAGE you can burn on CD/DVD or USB stick.

Step 1 - Prepare directories and download software

mkdir /tmp/centos_rw
mkdir /tmp/centos_ro

# Download software to build iso
sudo aptitude install xorriso

# Download lastest ISO CentOS 7
wget http://ftp.wcss.pl/pub/linux/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1611.iso -O /tmp/centos.iso

Step 2 - Mount ISO and copy files.

# Mount cd
sudo mount /tmp/centos.iso /tmp/centos_ro

# The directory is read only but we need to modify several files.
# Therefore, we will now copy /tmp/centos_ro to /tmp/centos_rw
sudo cp -R /tmp/centos_ro/* /tmp/centos_rw/
sudo chown -R myuser /tmp/centos_rw

After that step we have in /tmp/centos_rw directory all files extracted from ISO. We use it to build new modified image. Before we start, make some cleanup first:

sudo umount /tmp/centos_ro
rmdir /tmp/centos_ro

Step 3 - Let`s take a look at the structure of directories in unpacked ISO

# ls -all /tmp/centos_rw
total 320K
drwxr-xr-x  8 pyton pyton 4.0K Sep  5 21:18 .
drwxrwxrwt 17 root  root  4.0K Sep  5 21:26 ..
-rw-r--r--  1 pyton   502   14 Sep  5 21:22 CentOS_BuildTag
drwxr-xr-x  3 pyton   502 4.0K Jul  4  2014 EFI
-rw-r--r--  1 pyton   502  611 Sep  5 21:22 EULA
-rw-r--r--  1 pyton   502  18K Sep  5 21:22 GPL
drwxr-xr-x  3 pyton   502 4.0K Jul  4  2014 images
drwxr-xr-x  2 pyton   502 4.0K Jul  4  2014 isolinux
drwxr-xr-x  2 pyton   502 4.0K Jul  4  2014 LiveOS
drwxr-xr-x  2 pyton   502 248K Jul  5  2014 Packages
drwxr-xr-x  2 pyton root  4.0K Jul  5  2014 repodata
-rw-r--r--  1 pyton   502 1.7K Sep  5 21:24 RPM-GPG-KEY-CentOS-7
-rw-r--r--  1 pyton   502 1.7K Sep  5 21:24 RPM-GPG-KEY-CentOS-Testing-7
-r--r--r--  1 pyton root  2.9K Sep  5 21:24 TRANS.TBL

The most interesting directory for us is isolinux

# ls -all /tmp/centos_rw/isolinux
total 70M
drwxr-xr-x 2 pyton   502 4.0K Jul  4  2014 .
drwxr-xr-x 8 pyton pyton 4.0K Sep  5 21:18 ..
-r--r--r-- 1 pyton root  2.0K Sep  5 21:22 boot.cat
-rw-r--r-- 1 pyton   502   84 Sep  5 21:22 boot.msg
-rw-r--r-- 1 pyton   502  281 Sep  5 21:22 grub.conf
-rw-r--r-- 1 pyton   502  34M Sep  5 21:22 initrd.img
-rw-r--r-- 1 pyton   502  24K Sep  5 21:22 isolinux.bin
-rw-r--r-- 1 pyton   502 3.0K Sep  5 21:22 isolinux.cfg
-rw-r--r-- 1 pyton   502 173K Sep  5 21:22 memtest
-rw-r--r-- 1 pyton   502  186 Sep  5 21:22 splash.png
-r--r--r-- 1 pyton root  2.4K Sep  5 21:22 TRANS.TBL
-rw-r--r-- 1 pyton   502  32M Sep  5 21:22 upgrade.img
-rw-r--r-- 1 pyton   502 153K Sep  5 21:22 vesamenu.c32
-rwxr-xr-x 1 pyton   502 4.7M Sep  5 21:22 vmlinuz

In the /tmp/centos_rw/isolinux/isolinux.cfg file you will find the configuration for the bootloader. This is where we modify the entries so that when you boot from our image you will see a multi-drop menu that starts installation from kickstart. In addition, when you change the splash.png file, you can set your own bootloader logo.

Step 4 - Add example kickstarts and splash to image directory

wget http://www.pyton.systems/download/it/others/kickstart_sample.cfg -O /tmp/centos_rw/isolinux/ks1.cfg
wget http://www.pyton.systems/download/it/others/kickstart_sample2.cfg -O /tmp/centos_rw/isolinux/ks2.cfg
wget http://www.pyton.systems/download/it/others/splash_bsd_linux.png -O /tmp/centos_rw/isolinux/splash.png

Step 5 - Configure bootloader

Now we try to edit and add some positions in boot loader.

vim /tmp/centos_rw/isolinux/isolinux.cfg

The most interesting for us is a boot entry that looks like this:

label linux
  menu label ^Install CentOS 7
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 quiet

We will replace it by creating a boot configuration from two different kickstarts. This should look like that:

label linux
  menu label ^Install - CentOS Linux 7 - kickstart 1
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 ks=hd:LABEL=CentOS\x207\x20x86_64:/isolinux/ks1.cfg

label linux
  menu label ^Install - CentOS Linux 7 - kickstart 2
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 ks=hd:LABEL=CentOS\x207\x20x86_64:/isolinux/ks2.cfg

Please do not use ks=cdrom:/ks.cfg and other similar inventions. It is important to give the path through LABEL if we want our kickstart to be seen from either a DVD or a USB stick

Step 6 - Create ISO file

cd /tmp/centos_rw

xorriso -as mkisofs -o /tmp/centos_kickstart.iso -V "CentOS 7 x86_64" -isohybrid-mbr --interval:local_fs:0s-15s:zero_mbrpt,zero_gpt:"/tmp/centos.iso" -partition_cyl_align off -partition_offset 0 -c isolinux/boot.cat -b isolinux/isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table -eltorito-alt-boot -e "/images/efiboot.img" -no-emul-boot -boot-load-size 12804 -isohybrid-gpt-basdat -R -J .

Step 7 - Test it

  • Create VM with t least 50GB of disc (my kickstart needs that big storage), or change my example kickstart with your disc configuration.
  • Generated ISO is at path /tmp/centos_kickstart.iso
  • Boot from ISO

If everything is ok, you should see an image like this:

kickstart