|
Home > Archive > Debian Developers > September 2004 > Possibly incorrect pam.d/* files in many packages
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Possibly incorrect pam.d/* files in many packages
|
|
| Nikita V. Youshchenko 2004-09-27, 5:56 pm |
| Hello.
I just found that in some files in /etc/pam.d/ some 'required' lines are
after '@include' lines. E.g.:
....
@include common-auth
auth required pam_env.so
....
AFAIK, '@include common-auth' is there to make it easy to set up other
(than pam_unix) auth methods. In a common LDAP accounts setup, common-auth
will have 'sufficient' line for one auth method (e.g. pam_unix), and
'required' line for another method (e.g. pam_ldap).
But if it is possible that common-* files contain at least one 'sufficient'
line, it seems to be incorrect to have any 'auth required' lines after
common-auth is included is included - those line will not be executed if
module listed in common-auth as 'sufficient' succeeds. Same about account,
session and password, and probably same about 'optional' lines.
I think it's a bug int a package if 'required' is after '@include'. I first
found that in /etc/pam.d/cron, and filed a bug against cron package
(#273631). However, later I found same situation in other files in pam.d
(kdm, kdm-np, login, ssh, su). Before reporting bugs against packages
containing those files, I am askeng in -devel - it this really a bug (do I
understand things correctly)?
Btw, probably other packages that provide pam.d files have the same issue.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Philipp Matthias Hahn 2004-09-28, 5:57 pm |
| On Mon, Sep 27, 2004 at 06:14:41PM +0400, Nikita V. Youshchenko wrote:
> I just found that in some files in /etc/pam.d/ some 'required' lines are
> after '@include' lines.
....
> AFAIK, '@include common-auth' is there to make it easy to set up other
> (than pam_unix) auth methods. In a common LDAP accounts setup, common-auth
> will have 'sufficient' line for one auth method (e.g. pam_unix), and
> 'required' line for another method (e.g. pam_ldap).
So don't use "sufficient". Because of this I'm using the long format:
required == [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
sufficient == [success=done new_authtok_reqd=done default=ignore]
My /etc/pam.d/@common-auth contains the following lines:
# Use local accounts first to enable root logins even when LDAP fails.
# On success, skip LDAP authentification.
auth [success=1 default=ignore] pam_unix.so nullok
# Try LDAP next with same password.
auth required pam_ldap.so use_first_pass
# Put a dummy at the end, so 'skip=1' has something to jump to.
auth required pam_permit.so
Sidenote:
If you want to deny some account on some host using LDAPs
'host' attribute, you have to be carful with pam_unix.so, because for
account checks it always returns success when NSS returns a passwd
entry. Adding "perm_denied=bad" for pam_ldap.so can solve this.
BYtE
Philipp
--
Philipp Matthias Hahn <pmhahn@debian.org>
GPG/PGP: 9A540E39 @ keyrings.debian.org
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Nikita V. Youshchenko 2004-09-28, 5:57 pm |
| =2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> On Mon, Sep 27, 2004 at 06:14:41PM +0400, Nikita V. Youshchenko wrote:
>
> ...
>
>
> So don't use "sufficient". Because of this I'm using the long format:
> required =3D=3D [success=3Dok new_authtok_reqd=3Dok ignore=3Dignore defau=
lt=3Dbad]
> sufficient =3D=3D [success=3Ddone new_authtok_reqd=3Ddone default=3Dignor=
e]
>
> My /etc/pam.d/@common-auth contains the following lines:
>
> # Use local accounts first to enable root logins even when LDAP fails.
> # On success, skip LDAP authentification.
> auth [success=3D1 default=3Dignore] pam_unix.so nullok
> # Try LDAP next with same password.
> auth required pam_ldap.so use_first_pass
> # Put a dummy at the end, so 'skip=3D1' has something to jump to.
> auth required pam_permit.so
Almost every text in the internet that is related to LDAP accounts setup,=20
suggests to use 'sufficient' PAM lines. If this is not correct for Debian,=
=20
this should be documented in a very noticable place! (e.g. in=20
commented-out lines in default /etc/pam.d/common-* files.
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBWcJav3x5OskTLdsRAlzsAJ9W9s/qkFRgQWvuvx4FjGjBn0tNPQCfWe6w
IQGvUpjEhd3IYYBUGgxR2wM=3D
=3DWihm
=2D----END PGP SIGNATURE-----
| |
| Philipp Matthias Hahn 2004-09-29, 8:10 pm |
| Hello Nikita, Stephen!
On Tue, Sep 28, 2004 at 11:58:10PM +0400, Nikita V. Youshchenko wrote:
....[vbcol=seagreen]
....[vbcol=seagreen]
> Almost every text in the internet that is related to LDAP accounts setup,
> suggests to use 'sufficient' PAM lines. If this is not correct for Debian,
> this should be documented in a very noticable place! (e.g. in
> commented-out lines in default /etc/pam.d/common-* files.
The "@some-file" is a Debian extension. RedHat for example has a
pam_stack.so for similar purpose, but I don't know if and how they
handle "sufficient" better.
Yes, you're right that this needs documentation. When I was deploying
LDAP, I didn't find any good documentation, all of them just scratched
the top of the problems deploying LDAP.
Stephen: Can you add the following lines to libpam-ldap/README.Debian
- Be very careful when you use "sufficient pam_ldap.so" in Debians
/etc/pam.d/common-* files: Some services can place other "required"
PAM-modules after the includes, which will be ignored if pam_ldap.so
succeeds. As a workaround, use something like the following construct:
# Check local authentification first, so root can still login
# while LDAP is down.
auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
The third line is needed, so "success=1" can skip over one module and
still has a module to jump to. Without that, PAM segfaults!
- If you want to use the "pam_check_host_attr" feature, make sure
"pam_unix.so" doesn't provide a valid "account" via the Name Service
Switch (NSS), which overrides your LDAP configuration. Don't use "ldap"
for "shadow" in /etc/nsswitch.conf, just use "shadow: files". For PAM,
use something like the following:
# Try local /etc/shadow first and skip LDAP on success
account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so
BYtE
Philipp
--
Philipp Matthias Hahn <pmhahn@debian.org>
GPG/PGP: 9A540E39 @ keyrings.debian.org
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Nikita V. Youshchenko 2004-09-30, 10:47 am |
| > > Almost every text in the internet that is related to LDAP accounts
>
> The "@some-file" is a Debian extension. RedHat for example has a
> pam_stack.so for similar purpose, but I don't know if and how they
> handle "sufficient" better.
>
> Yes, you're right that this needs documentation. When I was deploying
> LDAP, I didn't find any good documentation, all of them just scratched
> the top of the problems deploying LDAP.
>
>
> Stephen: Can you add the following lines to libpam-ldap/README.Debian
>
> ...
I still think that the example should be included (commented-out of course)
in common-* files provided by default. This will no hurt anyway, and make
it almost impossible to keep it unnoticed by admins - even those who read
documentation only when get problems.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
|
|
|