View Issue Details

IDProjectCategoryView StatusLast Update
0001108bareos-core[All Projects] directorpublic2019-08-09 17:11
ReporterjoergsAssigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version19.2.1 
Target VersionFixed in Version 
Summary0001108: PAM users can be misused to directly connect to the bareos-director without password
DescriptionWhen using PAM as authentication method, the user password in the bareos-director is not used for authentication. However, the bareos configuration requires a password. In the documentation https://docs.bareos.org/TasksAndConcepts/PAM.html#pam-user the password is set to an empty string ("").

However, these users/consoles can be used to login via bconsole *without* password.
This is of course a security problem.
Steps To ReproduceInstall bareos
Create following files:

/etc/bareos/bareos-dir.d/console/pam.conf:
Console {
  Name = pam
  Password = secret
  UsePamAuthentication = yes
}

/etc/bareos/bareos-dir.d/console/user1.conf
Console {
  Name = user1
  Password = ""
  Profile = admin
}

bconsole-user1.conf:
Director {
  Name = bareos-dir
  address = localhost
  Password = "UNUSED"
}

Console {
  Name = "user1"
  Password = ""
}

systemctl restart bareos-dir.service

bconsole -c bconsole-user1.conf
Connecting to Director localhost:9101
 Encryption: ECDHE-PSK-CHACHA20-POLY1305
1000 OK: bareos-dir Version: 19.1.2 (01 February 2019)
bareos.org build binary
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
You are logged in as: user1

Enter a period to cancel a command.
*
Additional InformationTemporary workaround:
create PAM users with random passwords.
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-08-09 17:11 joergs New Issue