Improper Authorization in fredhutch/motuz
Mar 7th 2022
When motuz is configured for PAM authentification it skips checking authorization completely. Therefore unprivileged expired accounts and accounts with expired passwords can still login.
Proof of Concept
You can expire an account with
chage -E0 <username> and still login.
Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts who technically don't have any privilege are still allowed to login. To circumvent this, after an successful call to
pam_authenticateit is necessary to call